Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

VX2 and CoolWebSearch

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
I did the usual Spybot, CWShredder, and Ad-Aware but these pests keep returning on reboot. I looked at the Hijack This log and tried to remove items but I could not find the problem. Here is the log. Thanks for any help:

Logfile of HijackThis v1.99.0
Scan saved at 9:31:23 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/cwn/Integrated%20TAXPL/Documents/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fnw.fmr.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fiisfls.fmr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 6.0 SP1 (FID r2.0)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.fmr.com:800/wpad.dat
O4 - HKLM\..\Run: [HKCU] C:\WINDOWS\system32\cmd.exe /C Start "HKCU Updates" /MIN "C:\Program Files\current profile updates\hkcu.exe"
O4 - HKLM\..\Run: [LockWS] LockWS.exe
O4 - HKLM\..\Run: [CheckRights] C:\Program Files\Fidelity\Security Configuration\chkrights.exe
O4 - HKLM\..\Run: [SystemVBS] C:\WINDOWS\System.VBS
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CgaHelper] C:\PROGRA~1\CYBERG~1\cgahelp.exe -check
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [TOA_Runs] C:\WINDOWS\RVpnc.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\kyvuuw.exe
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GetName.bat.lnk = C:\Infrtool\GetName.bat
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: nykggh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://fnw.fmr.com/
O15 - Trusted Zone: *.bostoncoach.com
O15 - Trusted Zone: *.fid-intl.com
O15 - Trusted Zone: *.fidelity.ca
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.fidelityinv.com
O15 - Trusted Zone: *.fmr.com
O15 - Trusted Zone: *.fmrco.com
O15 - Trusted Zone: *.maxxess.com
O15 - Trusted Zone: *.veritude.com
O15 - Trusted Zone: *.bostoncoach.com (HKLM)
O15 - Trusted Zone: *.fid-intl.com (HKLM)
O15 - Trusted Zone: *.fidelity.ca (HKLM)
O15 - Trusted Zone: *.fidelity.com (HKLM)
O15 - Trusted Zone: *.fidelityinv.com (HKLM)
O15 - Trusted Zone: *.fmr.com (HKLM)
O15 - Trusted Zone: *.fmrco.com (HKLM)
O15 - Trusted Zone: *.maxxess.com (HKLM)
O15 - Trusted Zone: *.veritude.com (HKLM)
O16 - DPF: JavaConnect - file://C:\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30IF2 - file://C:\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST20 - http://sametime.fmr....gRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\SISD\STMeetingRoomClient.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://fiscmmk650win...ntBootstrap.cab
O16 - DPF: {396A77D2-EDFD-423E-B695-FDA81675BA10} - http://pchealthcente...ealthClient.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installsh...ll/iftwclix.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://fcreweb.fmr.com/mgaxctrl.cab
O16 - DPF: {6E10F5D1-B3E1-4BC2-8E6F-DD859F10F66F} (CAgentLauncher Class) - http://antivirus.fmr.../CGAgentATL.dll
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://fiisfls.fmr.c...tivexviewer.cab
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://dfpcmsbos02.f...es/vmi660ie.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://access0.fide...mr.com,CT=java
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\Software\..\Telephony: DomainName = fmr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer =,
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fmr.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{4FE69FFD-B0A4-4212-B41F-C25C5EC32F0C}: NameServer =,
O23 - Service: Altiris Agent - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberGatekeeper Agent - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Fidelity Workstation Configuration Service - Fidelity Investments - C:\Program Files\Fidelity\Security Configuration\fconfsvc.exe
O23 - Service: IBM Agent Controller - ECLIPSE - C:\Program Files\IBM\IBM Agent Controller\bin\RAService.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Rational ClearQuest Mail Service - Unknown - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\WINDOWS\system32\ppRemoteService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: RUMBA AS/400 Shared Folders - NetManage Incorporated - C:\WINDOWS\System32\wdnpsvc.exe
  • 0




    Founder Geek

  • Administrator
  • 24,490 posts
Looks like the Narrator Trojan. Let's try this TDS: http://www.geekstogo...=download&id=45

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP