Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Search Engines Hijacked [RESOLVED]

Started by dambromr , Aug 09 2005 09:40 AM

  • This topic is locked This topic is locked

#1
dambromr
Posted 09 August 2005 - 09:40 AM

dambromr

    Member

  • Member
  • PipPip
  • 15 posts
All search engines give the same strange results - I believe that my Internet Explorer is "possessed."

Have used Norton Anti-Virus, SBC Yahoo ant-Spy, and Spybot to clean computer.
I have run Hijack This and pasted my log below:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:20 AM, on 8/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\netps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\d3wx32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mike\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gem.jsu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.31.81.22 www.google.ae www.google.am www.google.as www.google.at www.google.az www.google.be www.google.bi
O1 - Hosts: 69.31.81.22 www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.co.cr
O1 - Hosts: 69.31.81.22 www.google.co.hu www.google.co.il www.google.co.in www.google.co.je www.google.co.jp www.google.co.ke www.google.co.kr
O1 - Hosts: 69.31.81.22 www.google.co.ls www.google.co.nz www.google.co.th www.google.co.ug www.google.co.uk www.google.co.ve www.google.com
O1 - Hosts: 69.31.81.22 www.google.com.ag www.google.com.ar www.google.com.au www.google.com.br www.google.com.co www.google.com.cu www.google.com.do
O1 - Hosts: 69.31.81.22 www.google.com.ec www.google.com.fj www.google.com.gi www.google.com.gr www.google.com.gt www.google.com.hk www.google.com.ly
O1 - Hosts: 69.31.81.22 www.google.com.mt www.google.com.mx www.google.com.my www.google.com.na www.google.com.nf www.google.com.ni www.google.com.np
O1 - Hosts: 69.31.81.22 www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa
O1 - Hosts: 69.31.81.22 www.google.com.sg www.google.com.sv www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vc
O1 - Hosts: 69.31.81.22 www.google.com.vn www.google.de www.google.dj www.google.dk www.google.es www.google.fi www.google.fm
O1 - Hosts: 69.31.81.22 www.google.fr www.google.gg www.google.gl www.google.gm www.google.hn www.google.ie www.google.it
O1 - Hosts: 69.31.81.22 www.google.kz www.google.li www.google.lt www.google.lu www.google.lv www.google.mn www.google.ms
O1 - Hosts: 69.31.81.22 www.google.mu www.google.mw www.google.nl www.google.no www.google.off.ai www.google.pl www.google.pn
O1 - Hosts: 69.31.81.22 www.google.pt www.google.ro www.google.ru www.google.rw www.google.se www.google.sh www.google.sk
O1 - Hosts: 69.31.81.22 www.google.sm www.google.td www.google.tm www.google.tt www.google.uz www.google.vg google.ae
O1 - Hosts: 69.31.81.22 google.am google.as google.at google.az google.be google.bi google.ca
O1 - Hosts: 69.31.81.22 google.cd google.cg google.ch google.ci google.cl google.co.cr google.co.hu
O1 - Hosts: 69.31.81.22 google.co.il google.co.in google.co.je google.co.jp google.co.ke google.co.kr google.co.ls
O1 - Hosts: 69.31.81.22 google.co.nz google.co.th google.co.ug google.co.uk google.co.ve google.com google.com.ag
O1 - Hosts: 69.31.81.22 google.com.ar google.com.au google.com.br google.com.co google.com.cu google.com.do google.com.ec
O1 - Hosts: 69.31.81.22 google.com.fj google.com.gi google.com.gr google.com.gt google.com.hk google.com.ly google.com.mt
O1 - Hosts: 69.31.81.22 google.com.mx google.com.my google.com.na google.com.nf google.com.ni google.com.np google.com.pa
O1 - Hosts: 69.31.81.22 google.com.pe google.com.ph google.com.pk google.com.pr google.com.py google.com.sa google.com.sg
O1 - Hosts: 69.31.81.22 google.com.sv google.com.tr google.com.tw google.com.ua google.com.uy google.com.vc google.com.vn
O1 - Hosts: 69.31.81.22 google.de google.dj google.dk google.es google.fi google.fm google.fr
O1 - Hosts: 69.31.81.22 google.gg google.gl google.gm google.hn google.ie google.it google.kz
O1 - Hosts: 69.31.81.22 google.li google.lt google.lu google.lv google.mn google.ms google.mu
O1 - Hosts: 69.31.81.22 google.mw google.nl google.no google.off.ai google.pl google.pn google.pt
O1 - Hosts: 69.31.81.22 google.ro google.ru google.rw google.se google.sh google.sk google.sm
O1 - Hosts: 69.31.81.22 google.td google.tm google.tt google.uz google.vg search.yahoo.com ar.search.yahoo.com
O1 - Hosts: 69.31.81.22 br.search.yahoo.com ca.search.yahoo.com cf.search.yahoo.com mx.search.yahoo.com espanol.search.yahoo.com au.search.yahoo.com ct.search.yahoo.com
O1 - Hosts: 69.31.81.22 fr.search.yahoo.com de.search.yahoo.com it.search.yahoo.com uk.search.yahoo.com search.msn.com search.msn.at search.sympatico.msn.ca
O1 - Hosts: 69.31.81.22 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 69.31.81.22 search.msn.fr search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
O1 - Hosts: 69.31.81.22 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com beta.search.msn.com beta.search.msn.at
O1 - Hosts: 69.31.81.22 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 69.31.81.22 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 69.31.81.22 beta.search.msn.se beta.search.msn.ch beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com www.alexa.com alexa.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {FD61B84C-0010-955A-086A-0FC97935B74A} - C:\WINDOWS\sysen.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [addpt.exe] C:\WINDOWS\system32\addpt.exe
O4 - HKLM\..\Run: [netps.exe] C:\WINDOWS\netps.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rmeecccv.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc...m::/on-line.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102791895983
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3wx32.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


Thank you much.
-Mike D
  • 0

Advertisements

#2
Rawe
Posted 09 August 2005 - 09:42 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Ok, you definately have an infection. Your log looks quite interesting actually..

Let's get started.

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp! Click CleanUp and allow it to delete all the temporary files. REBOOT!!

Please run an free online anti-virus scan; Kaspersky or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

- Rawe :tazz:
  • 0

#3
dambromr
Posted 10 August 2005 - 08:36 AM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey, thanks! The search engine problem seems to be fixed - noce work. Here is the new Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:52 AM, on 8/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\netps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\addui32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gem.jsu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.31.81.22 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 69.31.81.22 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {FD61B84C-0010-955A-086A-0FC97935B74A} - C:\WINDOWS\sysen.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [addpt.exe] C:\WINDOWS\system32\addpt.exe
O4 - HKLM\..\Run: [netps.exe] C:\WINDOWS\netps.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [addui32.exe] C:\WINDOWS\addui32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rmeecccv.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc...m::/on-line.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102791895983
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3wx32.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


Here is the About:Buster log:
AboutBuster 5.0 reference file 31
Scan started on [8/9/2005] at [7:52:45 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Active Setup Log.BAK:bvxzeo
Removed Stream! C:\WINDOWS\auohk.log:twieyq
Removed Stream! C:\WINDOWS\BJCFDins.log:nzjljf
Removed Stream! C:\WINDOWS\BJCFDins.log:rnqqxk
Removed Stream! C:\WINDOWS\boxlj.dat:wowhar
Removed Stream! C:\WINDOWS\clock.avi:pppmdc
Removed Stream! C:\WINDOWS\COM+.log:hhapbt
Removed Stream! C:\WINDOWS\comsetup.log:uajhxy
Removed Stream! C:\WINDOWS\CTDVAUDY.CDF:uhysxw
Removed Stream! C:\WINDOWS\desktop.ini:vgnfys
Removed Stream! C:\WINDOWS\DtcInstall.log:sgdazt
Removed Stream! C:\WINDOWS\ealgq.txt:qanazf
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:aoxlzi
Removed Stream! C:\WINDOWS\hnrim.dat:jrjdkb
Removed Stream! C:\WINDOWS\hpiins01.dat:cvroqv
Removed Stream! C:\WINDOWS\hpiins01.dat:hoildt
Removed Stream! C:\WINDOWS\hpimdl01.dat:bsciel
Removed Stream! C:\WINDOWS\iis6.log:sjxhiq
Removed Stream! C:\WINDOWS\imsins.BAK:gezlqn
Removed Stream! C:\WINDOWS\imsins.log:usmwyn
Removed Stream! C:\WINDOWS\INSTALL(2).INI:czfnma
Removed Stream! C:\WINDOWS\INSTALL(3).INI:czfnma
Removed Stream! C:\WINDOWS\INSTALL(3).INI:vwrumi
Removed Stream! C:\WINDOWS\INSTALL(4).INI:czfnma
Removed Stream! C:\WINDOWS\INSTALL.INI:czfnma
Removed Stream! C:\WINDOWS\jautoexp.dat:mtfbay
Removed Stream! C:\WINDOWS\joivr.log:fxnmhs
Removed Stream! C:\WINDOWS\jrxsa.log:fqqtfs
Removed Stream! C:\WINDOWS\KB828741.log:oxkaot
Removed Stream! C:\WINDOWS\KB873376.log:ezijqy
Removed Stream! C:\WINDOWS\KB887822.log:txtady
Removed Stream! C:\WINDOWS\kywgu.log:nhgzaz
Removed Stream! C:\WINDOWS\mabmz.dat:bjahzv
Removed Stream! C:\WINDOWS\mabmz.dat:wdhmhk
Removed Stream! C:\WINDOWS\msgsocm.log:rfodxk
Removed Stream! C:\WINDOWS\msgsocm.log:sveahz
Removed Stream! C:\WINDOWS\msgsocm.log:uktmtf
Removed Stream! C:\WINDOWS\msgsocm.log:yqrddz
Removed Stream! C:\WINDOWS\msmqinst.log:mhuues
Removed Stream! C:\WINDOWS\nzyla.txt:finiyc
Removed Stream! C:\WINDOWS\n_alhmay.log:khkxmt
Removed Stream! C:\WINDOWS\n_alhmay.log:lwxojj
Removed Stream! C:\WINDOWS\n_cmximt.log:holezf
Removed Stream! C:\WINDOWS\n_cmximt.log:xjfnaf
Removed Stream! C:\WINDOWS\n_cqrncc.log:rgqxsc
Removed Stream! C:\WINDOWS\n_cqrncc.log:uadche
Removed Stream! C:\WINDOWS\n_dpdjmq.log:qbqsvp
Removed Stream! C:\WINDOWS\n_fnrcdp.log:ctnbcw
Removed Stream! C:\WINDOWS\n_icuhar.txt:wpowsa
Removed Stream! C:\WINDOWS\n_inpops.log:mtxgwy
Removed Stream! C:\WINDOWS\n_ksydya.dat:dxhtdl
Removed Stream! C:\WINDOWS\n_lxtiod.txt:acxmjf
Removed Stream! C:\WINDOWS\n_lxtiod.txt:bdblrc
Removed Stream! C:\WINDOWS\n_ovvhks.txt:fuqlyj
Removed Stream! C:\WINDOWS\n_ovvhks.txt:itqsuj
Removed Stream! C:\WINDOWS\n_qdithx.txt:vrkmux
Removed Stream! C:\WINDOWS\n_syapoh.dat:bubxpt
Removed Stream! C:\WINDOWS\n_syapoh.dat:osczoz
Removed Stream! C:\WINDOWS\n_tcyhlk.dat:dienyn
Removed Stream! C:\WINDOWS\n_tcyhlk.dat:rtisya
Removed Stream! C:\WINDOWS\n_tcyhlk.dat:uyogtl
Removed Stream! C:\WINDOWS\n_tcyhlk.dat:xniyst
Removed Stream! C:\WINDOWS\n_ugktst.dat:gtvfqk
Removed Stream! C:\WINDOWS\n_utajel.log:tvtcre
Removed Stream! C:\WINDOWS\n_uvqhcq.txt:zmnkku
Removed Stream! C:\WINDOWS\n_vueyaz.dat:mwmhlg
Removed Stream! C:\WINDOWS\n_zrocgj.log:hczlpk
Removed Stream! C:\WINDOWS\n_zrocgj.log:mdxoim


Here is the SpSeHjfix log:


(8/9/05 8:01:04 PM) SPSeHjFix started v1.1.2
(8/9/05 8:01:04 PM) OS: WinXP (5.1.2600)
(8/9/05 8:01:04 PM) Language: english
(8/9/05 8:01:04 PM) Win-Path: C:\WINDOWS
(8/9/05 8:01:04 PM) System-Path: C:\WINDOWS\System32
(8/9/05 8:01:04 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(8/9/05 8:01:12 PM) Disinfection started
(8/9/05 8:01:12 PM) Bad-Dll(IEP): (not found)
(8/9/05 8:01:12 PM) Bad-Dll(IEP) in BHO: (not found)
(8/9/05 8:01:12 PM) UBF: 8 - UBB: 1 - UBR: 19
(8/9/05 8:01:12 PM) UBF: 8 - UBB: 1 - UBR: 19
(8/9/05 8:01:12 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(8/9/05 8:01:12 PM) Stealth-String not found
(8/9/05 8:01:12 PM) Not infected->END


Thanks again for your help! Please let me know if anything you see here still looks a little fishy...

-Mike D
  • 0

#4
Rawe
Posted 10 August 2005 - 08:54 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yep, it's not clean yet. But we cleaned most of the Coolwebsearch hijack though. ;)

Please print these instructions out, or write them down, as you can't read them during the fix.

Download Hoster.zip

Unzip it to the desktop to own folder, and run it;

Hit "Restore Original Hosts" and click "Ok".
Exit Hoster.

Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Remote Procedure Call (RPC) Helper
(Might be Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I))

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zpquw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FD61B84C-0010-955A-086A-0FC97935B74A} - C:\WINDOWS\sysen.dll
O4 - HKLM\..\Run: [addpt.exe] C:\WINDOWS\system32\addpt.exe
O4 - HKLM\..\Run: [netps.exe] C:\WINDOWS\netps.exe
O4 - HKLM\..\RunOnce: [addui32.exe] C:\WINDOWS\addui32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rmeecccv.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc...m::/on-line.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.213...hm::/update.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3wx32.exe (file missing)

Close any other open windows, making sure only HiJackThis is running, and hit "Fix Checked".
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: 11Fßä#·ºÄÖ`I
    NOTE! It is IMPORTANT that there is a SPACE before the first number 1 or it will NOT work!
  • Click "Ok", then reboot
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Using Windows Explorer, locate the following files and delete each one of them if present;

C:\WINDOWS\sysen.dll
C:\WINDOWS\system32\addpt.exe
C:\WINDOWS\netps.exe
C:\WINDOWS\addui32.exe
C:\WINDOWS\web\related.htm
C:\Program Files\Internet Explorer\rmeecccv.exe

Run CleanUp! again.
Reboot into normal mode.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Run this online scan next, post it's results too;
Panda Activescan

Post a fresh HiJackThis log along with the Panda & SpySweeper logs.

- Rawe :tazz:
  • 0

#5
dambromr
Posted 12 August 2005 - 04:45 PM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Rawe,

I am midway through your second set of instructions. I am actually stuck on 'reboot in safe mode' (which worked fine for me the first time I did it). I had hit F8 repeatedly, hit it once, held it, and even hit the number lock key to change that setting. I hear beeping when I press F8, but I cannot get the safe mode menu to appear.

-Mike D
  • 0

#6
Rawe
Posted 13 August 2005 - 03:03 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
.. I just noticed you don't have any Service Packs.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.

We need to do this first. You're literally wide open for reinfection without the update.

Do NOT install Service Pack 2 yet!

- Rawe :tazz:

Edited by Rawe, 13 August 2005 - 03:03 AM.

  • 0

#7
dambromr
Posted 13 August 2005 - 09:12 AM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Rawe,


When I go to the Windows update site and follow the directions, it appears that only Service Pack 2 is available - how can I get 1A?

Also, do you recommend that I keep Windows's 'Automatic Update' turned on or off?

Thanks again,
Mike D
  • 0

#8
dambromr
Posted 13 August 2005 - 09:31 AM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry Rawe,

YOu may also want to see the current log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:45 AM, on 8/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gem.jsu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {8DFA205E-18F5-B63D-E0A9-846F83DE2040} - C:\WINDOWS\apitk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123945209841
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123945663029
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


-Mike D
  • 0

#9
Rawe
Posted 13 August 2005 - 01:25 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.
- Rawe :tazz:
  • 0

#10
dambromr
Posted 13 August 2005 - 03:05 PM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Rawe,

It seems that every avenue you send me down is not going my way. The valedation process ended OK:

"Thank You
Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid.

This is a strong indicator that your operating system is genuine, however the Windows Validation Assistant cannot make a final determination.


To verify that you received a genuine Certificate of Authenticity and software CD, compare your anti-piracy features in the next section."


The Anti-Piracy section did not go so well. My disk is not holographic at all - I purchased at the University of Cincinnati bookstore last summer just before their group license expired. I took a picture of it for you but this site did not allow me to attach it. So if you go to my website, www.mikedambrosio.net I have temporarily placed the picture at the bottom right for you to see. I paid money for it and have a product code.

If there is something wrong with my product, why does the microsoft site have no problem with letting me dowload the service pack 2?

-Mike D
  • 0

Advertisements

#11
dambromr
Posted 13 August 2005 - 03:08 PM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Correction, my XP was purchased in Summer 2001 (not last summer).

-MD
  • 0

#12
Rawe
Posted 13 August 2005 - 03:11 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
No problem there. I remember you said you was unable to follow my earlier instructions (Just before I noticed you had no service packs), since you couldn't reboot into Safe Mode. See the following site for little more info about it, and see if you can complete those steps for me ;)

http://www.pchell.co.../safemode.shtml

- Rawe :tazz:
  • 0

#13
dambromr
Posted 13 August 2005 - 05:07 PM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Alright, cool. That other method of reaching the safe mode worked just fine. Here are the results from Spy Sweeper:

********
5:00 PM: |··· Start of Session, Saturday, August 13, 2005 ···|
5:00 PM: Spy Sweeper started
5:00 PM: Sweep initiated using definitions version 516
5:00 PM: Starting Memory Sweep
5:02 PM: Memory Sweep Complete, Elapsed Time: 00:01:51
5:02 PM: Starting Registry Sweep
5:02 PM: Found Adware: cws_ns3
5:02 PM: HKCR\clsid\{18df9808-f6c9-984b-ede3-0b7624ec452a}\ (4 subtraces) (ID = 118093)
5:02 PM: HKCR\clsid\{85e6b001-b482-61ae-78c6-6eae60d74d00}\ (4 subtraces) (ID = 118284)
5:02 PM: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
5:02 PM: HKCR\clsid\{a175dfd6-96f2-00dd-aca4-626f71f56520}\ (2 subtraces) (ID = 118769)
5:02 PM: HKLM\software\classes\clsid\{18df9808-f6c9-984b-ede3-0b7624ec452a}\ (4 subtraces) (ID = 119964)
5:02 PM: HKLM\software\classes\clsid\{85e6b001-b482-61ae-78c6-6eae60d74d00}\ (4 subtraces) (ID = 120140)
5:02 PM: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
5:02 PM: HKLM\software\classes\clsid\{a175dfd6-96f2-00dd-aca4-626f71f56520}\ (2 subtraces) (ID = 120608)
5:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\hsa\ (2 subtraces) (ID = 123379)
5:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\se\ (2 subtraces) (ID = 123380)
5:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sw\ (2 subtraces) (ID = 123381)
5:02 PM: Found Trojan Horse: trojan-downloader-hidd
5:02 PM: HKU\S-1-5-21-1060284298-299502267-682003330-1003\software\microsoft\windows\currentversion\nur\ (1 subtraces) (ID = 144689)
5:02 PM: Registry Sweep Complete, Elapsed Time:00:00:05
5:02 PM: Starting Cookie Sweep
5:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:02 PM: Starting File Sweep
5:02 PM: Found Adware: virtualbouncer
5:02 PM: c:\documents and settings\all users\application data\vbouncer (2 subtraces) (ID = -2147480097)
5:02 PM: Found Adware: cws_tiny0
5:02 PM: ctdv10k2.cdf:aisuvd (ID = 56768)
5:02 PM: n_vueyaz.dat:nzyunw (ID = 56768)
5:02 PM: Found Adware: clkoptimizer
5:02 PM: qagvy.dat (ID = 93646)
5:02 PM: oqseo.log:pmuyap (ID = 56768)
5:02 PM: netlo32.exe (ID = 56768)
5:02 PM: javabw32.exe (ID = 56768)
5:02 PM: q810577.log:qhncex (ID = 56768)
5:02 PM: encore_launcher.ini:nsuyj (ID = 56768)
5:02 PM: rrkui.txt:qfodrw (ID = 56768)
5:02 PM: vpc32.ini:sezbaf (ID = 56768)
5:02 PM: ipud.exe (ID = 56768)
5:02 PM: wiaservc.log:joeldf (ID = 56768)
5:02 PM: n_dpdjmq.log:apdjbp (ID = 56768)
5:02 PM: n_ovvhks.txt:telqtm (ID = 56768)
5:03 PM: explorer.scf:bbgnbp (ID = 56768)
5:03 PM: Warning: Failed to read file "c:\windows\:zxgpog". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:03 PM: n_pnquzc.txt:oqhbml (ID = 56768)
5:03 PM: sti_trace.log:ddhwpt (ID = 56768)
5:03 PM: joivr.log:uaxtod (ID = 56768)
5:03 PM: Found Adware: abetterinternet
5:03 PM: tcvlyww.exe (ID = 129837)
5:03 PM: msdfmap.ini:fzreuc (ID = 56768)
5:03 PM: Warning: Failed to read file "c:\windows\:auohky". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:03 PM: q329834.log:xlxazg (ID = 56768)
5:03 PM: kb833987.log:yijzzc (ID = 56768)
5:03 PM: comsetup.log:hizrxm (ID = 56768)
5:04 PM: steelhead.log:xqmklf (ID = 56768)
5:04 PM: ocmsn.log:gozcrv (ID = 56811)
5:05 PM: n_utajel.log:juaxad (ID = 56768)
5:05 PM: swsettings.xml (ID = 82816)
5:05 PM: Warning: Failed to read file "c:\windows\:aixuv". System Error. Code: 123.
The filename, directory name, or volume label syntax is incorrect
5:05 PM: Warning: Failed to read file "c:\windows\". System Error. Code: 3.
The system cannot find the path specified
5:05 PM: abiuninst.htm (ID = 83087)
5:05 PM: xlctg.txt:wokejl (ID = 56768)
5:05 PM: feathertexture.bmp:kywguw (ID = 56768)
5:05 PM: ctdvaudy.cdf:mabmzi (ID = 56768)
5:05 PM: wmsysprx.prx:puxyvj (ID = 56768)
5:05 PM: install(3).ini:lkpmla (ID = 56768)
5:05 PM: install(4).ini:lkpmla (ID = 56768)
5:05 PM: xqmkl.log:tbqoec (ID = 56768)
5:05 PM: q811630.log:zhbtgo (ID = 56768)
5:05 PM: windows update.log:rgqxsc (ID = 56768)
5:05 PM: n_fnrcdp.log:khbcuf (ID = 56768)
5:05 PM: atlgo32.exe (ID = 56761)
5:05 PM: winmu32.exe (ID = 56768)
5:05 PM: cdplayer.ini:joivrn (ID = 56768)
5:05 PM: dtcinstall.log:miryrg (ID = 56768)
5:05 PM: crpv32.exe (ID = 56768)
5:05 PM: sdktu.exe (ID = 56997)
5:05 PM: msgsocm.log:hdzsbu (ID = 56768)
5:05 PM: n_ukylpv.txt:wjoasx (ID = 56768)
5:05 PM: n_emzhqt.log:nbnpbg (ID = 56768)
5:05 PM: hpimdl01.dat:spirbs (ID = 56768)
5:05 PM: vminst.log:eitjhq (ID = 56768)
5:05 PM: Found Adware: exact cashback/bargain buddy
5:05 PM: bb_welcome.html (ID = 50571)
5:05 PM: bb_click_wider.swf (ID = 52238)
5:05 PM: bb_auto_wider.swf (ID = 52237)
5:05 PM: bb_welcome1.swf (ID = 52239)
5:05 PM: logo.gif (ID = 52264)
5:05 PM: install(2).ini:lkpmla (ID = 56768)
5:06 PM: Found Adware: coolwebsearch (cws)
5:06 PM: updreg.exe (ID = 54262)
5:06 PM: schedlgu.txt:iiwfeb (ID = 56768)
5:06 PM: wmsetup.log:sgubje (ID = 56768)
5:06 PM: install.ini:lkpmla (ID = 56768)
5:06 PM: user.xml (ID = 82817)
5:06 PM: icon.gif (ID = 52263)
5:06 PM: File Sweep Complete, Elapsed Time: 00:03:42
5:06 PM: Full Sweep has completed. Elapsed time 00:05:42
5:06 PM: Traces Found: 103
5:08 PM: Removal process initiated
5:08 PM: Quarantining All Traces: cws_ns3
5:08 PM: Quarantining All Traces: trojan-downloader-hidd
5:08 PM: Quarantining All Traces: virtualbouncer
5:08 PM: Quarantining All Traces: cws_tiny0
5:09 PM: Quarantining All Traces: clkoptimizer
5:09 PM: Quarantining All Traces: abetterinternet
5:09 PM: Quarantining All Traces: exact cashback/bargain buddy
5:09 PM: Quarantining All Traces: coolwebsearch (cws)
5:10 PM: Removal process completed. Elapsed time 00:01:22
********
4:51 PM: |··· Start of Session, Saturday, August 13, 2005 ···|
4:51 PM: Spy Sweeper started
4:52 PM: Your spyware definitions have been updated.
4:52 PM: Messenger service has been disabled.
5:00 PM: |··· End of Session, Saturday, August 13, 2005 ···|


Here is the Panda activescan report:

Incident Status Location

Possible Virus. No disinfected C:\Program Files\DIRECTV GameTracker\GameTracker.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\Program Files\Hijack This\backups\backup-20050812-172027-484.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\addhw.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\apicw32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiis32.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\apioj32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\apipm32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apitk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apppp32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\appsl.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\appyj.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atllf.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crbf.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\cror32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crps32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3by32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ge.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\d3yl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iedc.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iepi32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\ieve32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ippf32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\javajl32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\javans.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\javaoy.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\javaxm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfchi32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\msbp32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msgj32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\msuq32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\netcl.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\netea32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\netzl.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\nten.dll
Virus:Trj/Downloader.DMC Disinfected C:\WINDOWS\ntfi.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntfx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_aptdom.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_beuywy.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_cmximt.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_cqrncc.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_dfskzd.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_dpdjmq.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_emzhqt.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_fcmlzp.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_fmnlus.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_fnrcdp.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hifldp.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_hkyeat.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_icuhar.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_inpops.log
Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\n_kkdgip.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_lxtiod.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_meiajw.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_mexhhx.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_nghnyp.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_njgfpv.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_oimupj.txt
Virus:Trj/Agent.ACH Disinfected C:\WINDOWS\n_olgikw.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_ovvhks.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pdulur.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pfnttw.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_pjzzwn.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_pnquzc.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_qdithx.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_qmnfnt.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_rbqxpz.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_rdncjq.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_siwdwq.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_syapoh.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_tcyhlk.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_uanupr.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_ugktst.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_ukylpv.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_utajel.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_uvqhcq.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_vfoois.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_vgzsqe.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_vqhjew.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_vurmbr.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\n_wgagum.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_wjgyyx.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_xrfxae.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_zmnkku.txt
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_zygvzs.dat
Adware:Adware/SearchExe No disinfected C:\WINDOWS\n_zzulbf.log
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\sdklm32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\sdkpt32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\sdktm32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\syslk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysni.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\addbd.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\apide.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\apion32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\appkn32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\appou.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\atlhw.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\crlr32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\crpv32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\crtx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\crtz.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3gl.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\d3qv.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\d3zv32.dll
Virus:Trj/Small.LK Disinfected C:\WINDOWS\system32\dwtxb.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\iegj.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\ielq32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\ievb.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipfn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\ippf.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\ipta.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\iptk.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\iptx.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\iptz32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\javacc.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\javafs32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\javapk32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\javasx.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\mfcjr32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\mfcmo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\mfcnn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcpq32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\msjp32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\msne32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\msri32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\msup32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\mswa32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\netmt32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netpp.exe
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\system32\netyw32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\ntew32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\nthv.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\ntyc.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sdkjf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sdkmt.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sysdk.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sysdm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\syskc.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\syswc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\syszh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\wingi32.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\winhk32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winhx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\winzp32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\winkj32.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winph32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\winrf32.exe

And here is the most recent Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 6:06:09 PM, on 8/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gem.jsu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {8DFA205E-18F5-B63D-E0A9-846F83DE2040} - C:\WINDOWS\apitk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123945209841
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
  • 0

#14
dambromr
Posted 13 August 2005 - 05:09 PM

dambromr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
It looks like the Hijack This log may have gotten cut off - too long maybe. Here is the whole thing again:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:09 PM, on 8/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gem.jsu.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {8DFA205E-18F5-B63D-E0A9-846F83DE2040} - C:\WINDOWS\apitk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123945209841
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123945663029
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Rawe, I hope you get paid well for your troubles...
-Mike D
  • 0

#15
Rawe
Posted 15 August 2005 - 03:31 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I don't get paid at-all actually. This is a volunteer site, with volunteer staff members. Everyone is just using their own free time to help people at the forum. This forum also has an Geek University, where I learned almost everything I have learned this far of the malware. And it's totally free as well.. I just like doing this. I need no money out of this.. Ok, for your logs;

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\addhw.dll
C:\WINDOWS\apicw32.dll
C:\WINDOWS\apiis32.dll
C:\WINDOWS\apioj32.exe
C:\WINDOWS\apipm32.dll
C:\WINDOWS\apitk32.dll
C:\WINDOWS\apppp32.dll
C:\WINDOWS\appsl.dll
C:\WINDOWS\appyj.dll
C:\WINDOWS\atllf.dll
C:\WINDOWS\crbf.dll
C:\WINDOWS\cror32.dll
C:\WINDOWS\crps32.dll
C:\WINDOWS\d3by32.exe
C:\WINDOWS\d3ge.dll
C:\WINDOWS\d3yl.dll
C:\WINDOWS\iedc.exe
C:\WINDOWS\ieve32.dll
C:\WINDOWS\ippf32.exe
C:\WINDOWS\javajl32.dll
C:\WINDOWS\javans.dll
C:\WINDOWS\javaoy.dll
C:\WINDOWS\javaxm.dll
C:\WINDOWS\mfchi32.exe
C:\WINDOWS\msbp32.dll
C:\WINDOWS\msgj32.exe
C:\WINDOWS\msuq32.dll
C:\WINDOWS\netcl.dll
C:\WINDOWS\netea32.exe
C:\WINDOWS\netzl.dll
C:\WINDOWS\nten.dll
C:\WINDOWS\ntfi.exe
C:\WINDOWS\ntfx32.exe
C:\WINDOWS\n_aptdom.log
C:\WINDOWS\n_beuywy.log
C:\WINDOWS\n_cmximt.log
C:\WINDOWS\n_cqrncc.log
C:\WINDOWS\n_dfskzd.log
C:\WINDOWS\n_dpdjmq.log
C:\WINDOWS\n_emzhqt.log
C:\WINDOWS\n_fcmlzp.dat
C:\WINDOWS\n_fmnlus.dat
C:\WINDOWS\n_fnrcdp.log
C:\WINDOWS\n_hifldp.txt
C:\WINDOWS\n_hkyeat.txt
C:\WINDOWS\n_icuhar.txt
C:\WINDOWS\n_inpops.log
C:\WINDOWS\n_kkdgip.txt
C:\WINDOWS\n_lxtiod.txt
C:\WINDOWS\n_meiajw.log
C:\WINDOWS\n_mexhhx.log
C:\WINDOWS\n_nghnyp.txt
C:\WINDOWS\n_njgfpv.dat
C:\WINDOWS\n_oimupj.txt
C:\WINDOWS\n_olgikw.log
C:\WINDOWS\n_ovvhks.txt
C:\WINDOWS\n_pdulur.txt
C:\WINDOWS\n_pfnttw.txt
C:\WINDOWS\n_pjzzwn.txt
C:\WINDOWS\n_pnquzc.txt
C:\WINDOWS\n_qdithx.txt
C:\WINDOWS\n_qmnfnt.txt
C:\WINDOWS\n_rbqxpz.dat
C:\WINDOWS\n_rdncjq.log
C:\WINDOWS\n_siwdwq.dat
C:\WINDOWS\n_syapoh.dat
C:\WINDOWS\n_tcyhlk.dat
C:\WINDOWS\n_uanupr.txt
C:\WINDOWS\n_ugktst.dat
C:\WINDOWS\n_ukylpv.txt
C:\WINDOWS\n_utajel.log
C:\WINDOWS\n_uvqhcq.txt
C:\WINDOWS\n_vfoois.dat
C:\WINDOWS\n_vgzsqe.log
C:\WINDOWS\n_vqhjew.dat
C:\WINDOWS\n_vurmbr.dat
C:\WINDOWS\n_wgagum.log
C:\WINDOWS\n_wjgyyx.dat
C:\WINDOWS\n_xrfxae.txt
C:\WINDOWS\n_zmnkku.txt
C:\WINDOWS\n_zygvzs.dat
C:\WINDOWS\n_zzulbf.log
C:\WINDOWS\sdklm32.dll
C:\WINDOWS\sdkpt32.exe
C:\WINDOWS\sdktm32.dll
C:\WINDOWS\syslk32.dll
C:\WINDOWS\sysni.exe
C:\WINDOWS\system32\addbd.dll
C:\WINDOWS\system32\apide.dll
C:\WINDOWS\system32\apion32.dll
C:\WINDOWS\system32\appkn32.dll
C:\WINDOWS\system32\appou.dll
C:\WINDOWS\system32\atlhw.dll
C:\WINDOWS\system32\crlr32.exe
C:\WINDOWS\system32\crpv32.dll
C:\WINDOWS\system32\crtx32.exe
C:\WINDOWS\system32\crtz.dll
C:\WINDOWS\system32\d3gl.exe
C:\WINDOWS\system32\d3qv.dll
C:\WINDOWS\system32\d3zv32.dll
C:\WINDOWS\system32\dwtxb.exe
C:\WINDOWS\system32\iegj.dll
C:\WINDOWS\system32\ielq32.dll
C:\WINDOWS\system32\ievb.dll
C:\WINDOWS\system32\ipfn32.exe
C:\WINDOWS\system32\ippf.dll
C:\WINDOWS\system32\ipta.dll
C:\WINDOWS\system32\iptk.dll
C:\WINDOWS\system32\iptx.dll
C:\WINDOWS\system32\iptz32.dll
C:\WINDOWS\system32\javacc.exe
C:\WINDOWS\system32\javafs32.dll
C:\WINDOWS\system32\javapk32.dll
C:\WINDOWS\system32\javasx.exe
C:\WINDOWS\system32\mfcjr32.dll
C:\WINDOWS\system32\mfcmo32.exe
C:\WINDOWS\system32\mfcnn.dll
C:\WINDOWS\system32\mfcpq32.exe
C:\WINDOWS\system32\msjp32.dll
C:\WINDOWS\system32\msne32.dll
C:\WINDOWS\system32\msri32.dll
C:\WINDOWS\system32\msup32.dll
C:\WINDOWS\system32\mswa32.dll
C:\WINDOWS\system32\netmt32.dll
C:\WINDOWS\system32\netpp.exe
C:\WINDOWS\system32\netyw32.dll
C:\WINDOWS\system32\ntew32.dll
C:\WINDOWS\system32\nthv.dll
C:\WINDOWS\system32\ntyc.dll
C:\WINDOWS\system32\sdkjf32.exe
C:\WINDOWS\system32\sdkmt.dll
C:\WINDOWS\system32\sysdk.dll
C:\WINDOWS\system32\sysdm.dll
C:\WINDOWS\system32\syskc.dll
C:\WINDOWS\system32\syswc32.exe
C:\WINDOWS\system32\syszh.exe
C:\WINDOWS\system32\wingi32.exe
C:\WINDOWS\system32\winhk32.dll
C:\WINDOWS\system32\winhx32.exe
C:\WINDOWS\system32\winzp32.dll
C:\WINDOWS\winkj32.dll
C:\WINDOWS\winph32.exe
C:\WINDOWS\winrf32.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

When rebooted, do the following;

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Boot back into normal mode and post the Ewido log.

- Rawe :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP