[Resolved] system32 popup - please help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

etnamaid

Thread Starter
Joined
Jul 18, 2003
Messages
94
hi there,

please check this log. everytime i restart my friend's computer, the System32 folder popup.

please help.

thanks
=============================

Logfile of HijackThis v1.97.7
Scan saved at 3:11:05 PM, on 4/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\yvwekpdk.exe
C:\WINDOWS\System32\igfgtkqf.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca5.hpwis.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: HTTP/1.1 200 Lose weight, eat less spam
O1 - Hosts: Server: Freedom HTTP Proxy
O1 - Hosts: Content-Type: image/gif
O1 - Hosts: Accept-Ranges: bytes
O1 - Hosts: Content-Length: 44
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
O4 - HKLM\..\Run: [Outwar] C:\WINDOWS\syslaunch.exe
O4 - HKLM\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [rckcrpas] C:\WINDOWS\nlwkpozq.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\yvwekpdk.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [stwzgapu] C:\WINDOWS\System32\igfgtkqf.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [GNT] C:\WINDOWS\GNT.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O4 - HKCU\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\RunOnce: [*cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 
Joined
Nov 2, 2002
Messages
22,468
Based on the list, you should download a good spyware removal program.

However these have nothing to do with the folder opening after login. If the System32 folder shows on the desktop, there may be an invalid entry in the Registry

Start Regedit
Go to both:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Double check that the values do not have incorrect, incomplete, or blank entries
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,424
Ouch you have a lot of crap!

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ - This is the problem, but you have much worse stuff going on.

Download and run Spybot S&D, LAvasoft Ad-Aware and CWShredder. When you have run these programs, reboot and redo the log. We can then fish out the files that were left.
 
Joined
Nov 2, 2002
Messages
22,468
I'm constantly amazed with how much people has downloaded. For some locations of the better spyware removal tools:

You need to download a good Spyware and Trojan Removal program.

Spybot Search and Destroy:
http://www.safer-networking.org/index.php?page=spybotsda

SpySweeper:
http://www.webroot.com/wb/products/spysweeper/index.php
This will also protect your home page from being hijacked.

Ad-Aware:
http://www.lavasoft.de/

With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan.

CWShredder:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

KazaaBeGone
http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

Programs that can help prevent getting infected:

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

Spyware Guard
http://www.wilderssecurity.net/spywareguard.html
 

etnamaid

Thread Starter
Joined
Jul 18, 2003
Messages
94
please check if i should fix the following too.
thanks
======================

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
 

etnamaid

Thread Starter
Joined
Jul 18, 2003
Messages
94
everytime i restart the computer, end program - wupater.exe popup

should i fix this?
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

please advice.

thanks
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Did you run Adaware and spybot if so post a new hijackthis log than we can help you
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,424
Those should be fixed by Spybot S&D and or Lavasoft Ad-Aware. Please run those programs and then repost a log.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,424
While you are at it, download Spyware blaster. Make sure you use the update function. It prevents any further attacks like what you have here.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,424
If you are that worried, start by removing all of the R0s, R1s, R3s and O1s. Those can be removed.

For your wupdater.exe - go here
 

etnamaid

Thread Starter
Joined
Jul 18, 2003
Messages
94
yes, i run Spybot Search & Destroy, Ad-Aware, and CWShredder.

thanks
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,424
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca5.hpwis.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: HTTP/1.1 200 Lose weight, eat less spam
O1 - Hosts: Server: Freedom HTTP Proxy
O1 - Hosts: Content-Type: image/gif
O1 - Hosts: Accept-Ranges: bytes
O1 - Hosts: Content-Length: 44
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {ABCA2B61-DFD9-20E4-7C49-10D4BDD6DD0C} - C:\WINDOWS\system32\yeilmaje.dll
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
O4 - HKLM\..\Run: [Outwar] C:\WINDOWS\syslaunch.exe
O4 - HKLM\..\Run: [rckcrpas] C:\WINDOWS\nlwkpozq.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\yvwekpdk.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [stwzgapu] C:\WINDOWS\System32\igfgtkqf.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [GNT] C:\WINDOWS\GNT.exe
O4 - HKCU\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O4 - HKCU\..\Run: [anpdojb] c:\WINDOWS\System32\anpdojb.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\RunOnce: [*cpjxbnm] rundll32 C:\WINDOWS\System32:cpjxbnm.dll,Init 1
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe

Well something didn't go right if the log was AFTER the checks. You will need to run in safe mode, turn off System Restore and then redo the scans, including an antivirus scan. Then run the HJT and check to see if you have any of the entries I have listed and remove them. You will need to also delete the files that are listed to from the locations. After you have did that reboot and do one last HJT and post it here. (dont forget to turn the System Restore back on.)

Also I believe you have the peper.a trojan. Go to this link: http://www.zerosrealm.com/downloads/uninst.exe
You will need to be online for the file to work. It will ask you to SAVE or OPEN it. OPEN it (with the connection still active!) so you can remove the trojan.
 

etnamaid

Thread Starter
Joined
Jul 18, 2003
Messages
94
here is the latest log.
still the "end program - wupdater.exe" is there
when i restart. i can't find any download fom this link
http://www.doxdesk.com/parasite/KeenValue.html

please help.

thanks


Logfile of HijackThis v1.97.7
Scan saved at 12:56:33 AM, on 4/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 
Joined
Dec 9, 2000
Messages
45,855
Probaby best to reboot in Safe Mode to carry this out.

Check these two items and "fix" them in the Scanlog:

4 - HKLM\..\Run: [lssrv32] c:\WINDOWS\System32\lssrv32.exe

^^ unless you KNOW what that is and can vouch for it.

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

^^ a known malware component.

Then just go to the C:\Program Files\Common files\updater\wupdater.exe. You can delete lssrv32.exe as well.

"updater" folder and delete it manually.

How to restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

And just a side note: that was sure one mess of a Scanlog. If you have been using file sharing applications, you can bet they will return if you continue to do so.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Top