Solved: Can't Get rid of WWWCoolwebsearch

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
I have been trying for several days to put this "Beast" out to pasture but it remains and continues to reside in my computer.
I have run latest versions of Ad Aware, SpyBot and Windows AntiSpyware as well as Norton SystemWorks 2005. The offending files show up as Trek Blue Error Nuker, StartPage-EH, Klez winkh.exe and various other versions of Malware.
My Iexplorer has been hijacked to something called About:Blank and continues to add porn web links in My Favorites as well as other sites.

My system runs on WinXP Professional through a cable modem that is always on. My HiJack this log is as follows;

Logfile of HijackThis v1.99.1
Scan saved at 4:37:40 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\sdkcf32.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hi-Jack This\HijackThis v1.99.1.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lhztt.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {74BFA73C-1575-8956-BF6B-FBEF00307908} - C:\WINDOWS\sysbv32.dll
O2 - BHO: Class - {89CCF05A-7656-3F27-66A5-FBC97CDDABD8} - C:\WINDOWS\ntau32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C25B819B-AC4E-4A6C-1C3C-94A75C05801D} - C:\WINDOWS\mfcvs32.dll
O2 - BHO: Class - {F2938D55-FF24-9FAE-0746-FFB05994C97B} - C:\WINDOWS\system32\javakp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sdkcf32.exe] C:\WINDOWS\system32\sdkcf32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKLM\..\RunOnce: [apius32.exe] C:\WINDOWS\system32\apius32.exe
O4 - HKLM\..\RunOnce: [ntiy.exe] C:\WINDOWS\ntiy.exe
O4 - HKLM\..\RunOnce: [crkd.exe] C:\WINDOWS\system32\crkd.exe
O4 - HKLM\..\RunOnce: [appad32.exe] C:\WINDOWS\appad32.exe
O4 - HKLM\..\RunOnce: [d3to32.exe] C:\WINDOWS\d3to32.exe
O4 - HKLM\..\RunOnce: [ntex.exe] C:\WINDOWS\ntex.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\winyj.exe
O4 - HKLM\..\RunOnce: [javaje32.exe] C:\WINDOWS\javaje32.exe
O4 - HKLM\..\RunOnce: [atlcx32.exe] C:\WINDOWS\system32\atlcx32.exe
O4 - HKLM\..\RunOnce: [mfccn32.exe] C:\WINDOWS\system32\mfccn32.exe
O4 - HKLM\..\RunOnce: [sdkmg32.exe] C:\WINDOWS\sdkmg32.exe
O4 - HKLM\..\RunOnce: [applo.exe] C:\WINDOWS\system32\applo.exe
O4 - HKLM\..\RunOnce: [sysdo32.exe] C:\WINDOWS\sysdo32.exe
O4 - HKLM\..\RunOnce: [atltm32.exe] C:\WINDOWS\atltm32.exe
O4 - HKLM\..\RunOnce: [iehg.exe] C:\WINDOWS\system32\iehg.exe
O4 - HKLM\..\RunOnce: [sdkgt.exe] C:\WINDOWS\system32\sdkgt.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [d3zs.exe] C:\WINDOWS\d3zs.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\RunOnce: [syszt32.exe] C:\WINDOWS\syszt32.exe
O4 - HKLM\..\RunOnce: [javafw.exe] C:\WINDOWS\javafw.exe
O4 - HKLM\..\RunOnce: [sdknw32.exe] C:\WINDOWS\system32\sdknw32.exe
O4 - HKLM\..\RunOnce: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\RunOnce: [ntut32.exe] C:\WINDOWS\ntut32.exe
O4 - HKLM\..\RunOnce: [atlhn.exe] C:\WINDOWS\system32\atlhn.exe
O4 - HKLM\..\RunOnce: [javaby.exe] C:\WINDOWS\system32\javaby.exe
O4 - HKLM\..\RunOnce: [ntjn.exe] C:\WINDOWS\system32\ntjn.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\appwi32.exe
O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
O4 - HKLM\..\RunOnce: [apibk.exe] C:\WINDOWS\system32\apibk.exe
O4 - HKLM\..\RunOnce: [addpu32.exe] C:\WINDOWS\system32\addpu32.exe
O4 - HKLM\..\RunOnce: [cruw.exe] C:\WINDOWS\cruw.exe
O4 - HKLM\..\RunOnce: [mste.exe] C:\WINDOWS\system32\mste.exe
O4 - HKLM\..\RunOnce: [sdkgo.exe] C:\WINDOWS\system32\sdkgo.exe
O4 - HKLM\..\RunOnce: [atlli32.exe] C:\WINDOWS\system32\atlli32.exe
O4 - HKLM\..\RunOnce: [javabn32.exe] C:\WINDOWS\javabn32.exe
O4 - HKLM\..\RunOnce: [mfcoi.exe] C:\WINDOWS\mfcoi.exe
O4 - HKLM\..\RunOnce: [apivx.exe] C:\WINDOWS\apivx.exe
O4 - HKLM\..\RunOnce: [javahd32.exe] C:\WINDOWS\system32\javahd32.exe
O4 - HKLM\..\RunOnce: [sdkyi.exe] C:\WINDOWS\system32\sdkyi.exe
O4 - HKLM\..\RunOnce: [netzv32.exe] C:\WINDOWS\system32\netzv32.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [javadx32.exe] C:\WINDOWS\javadx32.exe
O4 - HKLM\..\RunOnce: [apijz.exe] C:\WINDOWS\apijz.exe
O4 - HKLM\..\RunOnce: [sdknd32.exe] C:\WINDOWS\sdknd32.exe
O4 - HKLM\..\RunOnce: [atlsx.exe] C:\WINDOWS\system32\atlsx.exe
O4 - HKLM\..\RunOnce: [iern32.exe] C:\WINDOWS\system32\iern32.exe
O4 - HKLM\..\RunOnce: [sdkun32.exe] C:\WINDOWS\sdkun32.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\system32\msmy.exe
O4 - HKLM\..\RunOnce: [mfcfj.exe] C:\WINDOWS\mfcfj.exe
O4 - HKLM\..\RunOnce: [addsw.exe] C:\WINDOWS\system32\addsw.exe
O4 - HKLM\..\RunOnce: [ntbf.exe] C:\WINDOWS\system32\ntbf.exe
O4 - HKLM\..\RunOnce: [winvq.exe] C:\WINDOWS\winvq.exe
O4 - HKLM\..\RunOnce: [mskx.exe] C:\WINDOWS\mskx.exe
O4 - HKLM\..\RunOnce: [sdkvq32.exe] C:\WINDOWS\sdkvq32.exe
O4 - HKLM\..\RunOnce: [javaoj.exe] C:\WINDOWS\system32\javaoj.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\iekn.exe
O4 - HKLM\..\RunOnce: [appdg32.exe] C:\WINDOWS\system32\appdg32.exe
O4 - HKLM\..\RunOnce: [apitw.exe] C:\WINDOWS\system32\apitw.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\sdkxs32.exe
O4 - HKLM\..\RunOnce: [ntmp32.exe] C:\WINDOWS\ntmp32.exe
O4 - HKLM\..\RunOnce: [ipbm32.exe] C:\WINDOWS\system32\ipbm32.exe
O4 - HKLM\..\RunOnce: [addfq32.exe] C:\WINDOWS\system32\addfq32.exe
O4 - HKLM\..\RunOnce: [ntac32.exe] C:\WINDOWS\system32\ntac32.exe
O4 - HKLM\..\RunOnce: [crfg.exe] C:\WINDOWS\crfg.exe
O4 - HKLM\..\RunOnce: [sdkog32.exe] C:\WINDOWS\system32\sdkog32.exe
O4 - HKLM\..\RunOnce: [addxm.exe] C:\WINDOWS\addxm.exe
O4 - HKLM\..\RunOnce: [netmb32.exe] C:\WINDOWS\netmb32.exe
O4 - HKLM\..\RunOnce: [javadj.exe] C:\WINDOWS\javadj.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [crqo.exe] C:\WINDOWS\crqo.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [crkh32.exe] C:\WINDOWS\system32\crkh32.exe
O4 - HKLM\..\RunOnce: [netpd32.exe] C:\WINDOWS\netpd32.exe
O4 - HKLM\..\RunOnce: [d3kp32.exe] C:\WINDOWS\system32\d3kp32.exe
O4 - HKLM\..\RunOnce: [sysxt.exe] C:\WINDOWS\sysxt.exe
O4 - HKLM\..\RunOnce: [ieyu32.exe] C:\WINDOWS\system32\ieyu32.exe
O4 - HKLM\..\RunOnce: [msmq32.exe] C:\WINDOWS\msmq32.exe
O4 - HKLM\..\RunOnce: [ntrn32.exe] C:\WINDOWS\system32\ntrn32.exe
O4 - HKLM\..\RunOnce: [iemy32.exe] C:\WINDOWS\iemy32.exe
O4 - HKLM\..\RunOnce: [addrd.exe] C:\WINDOWS\system32\addrd.exe
O4 - HKLM\..\RunOnce: [winal32.exe] C:\WINDOWS\winal32.exe
O4 - HKLM\..\RunOnce: [sysoa32.exe] C:\WINDOWS\system32\sysoa32.exe
O4 - HKLM\..\RunOnce: [sdkte32.exe] C:\WINDOWS\sdkte32.exe
O4 - HKLM\..\RunOnce: [winoq32.exe] C:\WINDOWS\system32\winoq32.exe
O4 - HKLM\..\RunOnce: [atltu.exe] C:\WINDOWS\atltu.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [ieaq32.exe] C:\WINDOWS\ieaq32.exe
O4 - HKLM\..\RunOnce: [sdktz32.exe] C:\WINDOWS\system32\sdktz32.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\ieds32.exe
O4 - HKLM\..\RunOnce: [netda.exe] C:\WINDOWS\system32\netda.exe
O4 - HKLM\..\RunOnce: [atlhe.exe] C:\WINDOWS\atlhe.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [d3ui.exe] C:\WINDOWS\d3ui.exe
O4 - HKLM\..\RunOnce: [winqm32.exe] C:\WINDOWS\winqm32.exe
O4 - HKLM\..\RunOnce: [iean.exe] C:\WINDOWS\iean.exe
O4 - HKLM\..\RunOnce: [iefj32.exe] C:\WINDOWS\iefj32.exe
O4 - HKLM\..\RunOnce: [ieug32.exe] C:\WINDOWS\system32\ieug32.exe
O4 - HKLM\..\RunOnce: [ntzc32.exe] C:\WINDOWS\ntzc32.exe
O4 - HKLM\..\RunOnce: [sysco32.exe] C:\WINDOWS\system32\sysco32.exe
O4 - HKLM\..\RunOnce: [addhs.exe] C:\WINDOWS\addhs.exe
O4 - HKLM\..\RunOnce: [winht32.exe] C:\WINDOWS\system32\winht32.exe
O4 - HKLM\..\RunOnce: [syswq32.exe] C:\WINDOWS\syswq32.exe
O4 - HKLM\..\RunOnce: [javabm32.exe] C:\WINDOWS\system32\javabm32.exe
O4 - HKLM\..\RunOnce: [winey32.exe] C:\WINDOWS\winey32.exe
O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\system32\atlic.exe
O4 - HKLM\..\RunOnce: [javael.exe] C:\WINDOWS\system32\javael.exe
O4 - HKLM\..\RunOnce: [mfcdb32.exe] C:\WINDOWS\system32\mfcdb32.exe
O4 - HKLM\..\RunOnce: [winbr32.exe] C:\WINDOWS\winbr32.exe
O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe
O4 - HKLM\..\RunOnce: [apizw32.exe] C:\WINDOWS\system32\apizw32.exe
O4 - HKLM\..\RunOnce: [sdkpe32.exe] C:\WINDOWS\system32\sdkpe32.exe
O4 - HKLM\..\RunOnce: [ipsh.exe] C:\WINDOWS\ipsh.exe
O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
O4 - HKLM\..\RunOnce: [msim.exe] C:\WINDOWS\system32\msim.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\system32\nthc32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [apifa32.exe] C:\WINDOWS\system32\apifa32.exe
O4 - HKLM\..\RunOnce: [mfcuu32.exe] C:\WINDOWS\system32\mfcuu32.exe
O4 - HKLM\..\RunOnce: [atlir.exe] C:\WINDOWS\atlir.exe
O4 - HKLM\..\RunOnce: [mfcoo.exe] C:\WINDOWS\mfcoo.exe
O4 - HKLM\..\RunOnce: [ipbq.exe] C:\WINDOWS\system32\ipbq.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS\system32\msbk.exe
O4 - HKLM\..\RunOnce: [appgm.exe] C:\WINDOWS\appgm.exe
O4 - HKLM\..\RunOnce: [apphy32.exe] C:\WINDOWS\system32\apphy32.exe
O4 - HKLM\..\RunOnce: [apiww.exe] C:\WINDOWS\apiww.exe
O4 - HKLM\..\RunOnce: [appll.exe] C:\WINDOWS\appll.exe
O4 - HKLM\..\RunOnce: [msve32.exe] C:\WINDOWS\system32\msve32.exe
O4 - HKLM\..\RunOnce: [syshp.exe] C:\WINDOWS\system32\syshp.exe
O4 - HKLM\..\RunOnce: [nettc.exe] C:\WINDOWS\system32\nettc.exe
O4 - HKLM\..\RunOnce: [atllt.exe] C:\WINDOWS\atllt.exe
O4 - HKLM\..\RunOnce: [d3oa.exe] C:\WINDOWS\system32\d3oa.exe
O4 - HKLM\..\RunOnce: [netbu.exe] C:\WINDOWS\netbu.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
O4 - HKLM\..\RunOnce: [sdkvt.exe] C:\WINDOWS\sdkvt.exe
O4 - HKLM\..\RunOnce: [addgh.exe] C:\WINDOWS\addgh.exe
O4 - HKLM\..\RunOnce: [d3lb32.exe] C:\WINDOWS\d3lb32.exe
O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\system32\iefu.exe
O4 - HKLM\..\RunOnce: [ntko32.exe] C:\WINDOWS\system32\ntko32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\addkw.exe
O4 - HKLM\..\RunOnce: [crpq32.exe] C:\WINDOWS\system32\crpq32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\apiij32.exe
O4 - HKLM\..\RunOnce: [sdkhd32.exe] C:\WINDOWS\sdkhd32.exe
O4 - HKLM\..\RunOnce: [apiej.exe] C:\WINDOWS\apiej.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [javada32.exe] C:\WINDOWS\javada32.exe
O4 - HKLM\..\RunOnce: [appli32.exe] C:\WINDOWS\system32\appli32.exe
O4 - HKLM\..\RunOnce: [sdkgt32.exe] C:\WINDOWS\system32\sdkgt32.exe
O4 - HKLM\..\RunOnce: [winxs.exe] C:\WINDOWS\winxs.exe
O4 - HKLM\..\RunOnce: [sdkkh.exe] C:\WINDOWS\sdkkh.exe
O4 - HKLM\..\RunOnce: [crly.exe] C:\WINDOWS\crly.exe
O4 - HKLM\..\RunOnce: [javauy32.exe] C:\WINDOWS\system32\javauy32.exe
O4 - HKLM\..\RunOnce: [javaiv.exe] C:\WINDOWS\javaiv.exe
O4 - HKLM\..\RunOnce: [javaor.exe] C:\WINDOWS\javaor.exe
O4 - HKLM\..\RunOnce: [atlto.exe] C:\WINDOWS\atlto.exe
O4 - HKLM\..\RunOnce: [croz.exe] C:\WINDOWS\croz.exe
O4 - HKLM\..\RunOnce: [ntdp.exe] C:\WINDOWS\ntdp.exe
O4 - HKLM\..\RunOnce: [crqr32.exe] C:\WINDOWS\crqr32.exe
O4 - HKLM\..\RunOnce: [applc32.exe] C:\WINDOWS\system32\applc32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11772453733709a85601/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120103655171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/View22RTE.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


Thanks in advance for your help.
 
Joined
Jul 26, 2002
Messages
46,349
Hi old_lion

Welcome to TSG! :)

Please rescan with Hijack This and post a new log. I'll help you remove this.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
 

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
Thanks for your prompt reply. Just ran another logfile. Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 6:29:50 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\sdkcf32.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hi-Jack This\HijackThis v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F2938D55-FF24-9FAE-0746-FFB05994C97B} - C:\WINDOWS\system32\javakp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sdkcf32.exe] C:\WINDOWS\system32\sdkcf32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKLM\..\RunOnce: [apius32.exe] C:\WINDOWS\system32\apius32.exe
O4 - HKLM\..\RunOnce: [ntiy.exe] C:\WINDOWS\ntiy.exe
O4 - HKLM\..\RunOnce: [crkd.exe] C:\WINDOWS\system32\crkd.exe
O4 - HKLM\..\RunOnce: [appad32.exe] C:\WINDOWS\appad32.exe
O4 - HKLM\..\RunOnce: [d3to32.exe] C:\WINDOWS\d3to32.exe
O4 - HKLM\..\RunOnce: [ntex.exe] C:\WINDOWS\ntex.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\winyj.exe
O4 - HKLM\..\RunOnce: [javaje32.exe] C:\WINDOWS\javaje32.exe
O4 - HKLM\..\RunOnce: [atlcx32.exe] C:\WINDOWS\system32\atlcx32.exe
O4 - HKLM\..\RunOnce: [mfccn32.exe] C:\WINDOWS\system32\mfccn32.exe
O4 - HKLM\..\RunOnce: [sdkmg32.exe] C:\WINDOWS\sdkmg32.exe
O4 - HKLM\..\RunOnce: [applo.exe] C:\WINDOWS\system32\applo.exe
O4 - HKLM\..\RunOnce: [sysdo32.exe] C:\WINDOWS\sysdo32.exe
O4 - HKLM\..\RunOnce: [atltm32.exe] C:\WINDOWS\atltm32.exe
O4 - HKLM\..\RunOnce: [iehg.exe] C:\WINDOWS\system32\iehg.exe
O4 - HKLM\..\RunOnce: [sdkgt.exe] C:\WINDOWS\system32\sdkgt.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [d3zs.exe] C:\WINDOWS\d3zs.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\RunOnce: [syszt32.exe] C:\WINDOWS\syszt32.exe
O4 - HKLM\..\RunOnce: [javafw.exe] C:\WINDOWS\javafw.exe
O4 - HKLM\..\RunOnce: [sdknw32.exe] C:\WINDOWS\system32\sdknw32.exe
O4 - HKLM\..\RunOnce: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\RunOnce: [ntut32.exe] C:\WINDOWS\ntut32.exe
O4 - HKLM\..\RunOnce: [atlhn.exe] C:\WINDOWS\system32\atlhn.exe
O4 - HKLM\..\RunOnce: [javaby.exe] C:\WINDOWS\system32\javaby.exe
O4 - HKLM\..\RunOnce: [ntjn.exe] C:\WINDOWS\system32\ntjn.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\appwi32.exe
O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
O4 - HKLM\..\RunOnce: [apibk.exe] C:\WINDOWS\system32\apibk.exe
O4 - HKLM\..\RunOnce: [addpu32.exe] C:\WINDOWS\system32\addpu32.exe
O4 - HKLM\..\RunOnce: [cruw.exe] C:\WINDOWS\cruw.exe
O4 - HKLM\..\RunOnce: [mste.exe] C:\WINDOWS\system32\mste.exe
O4 - HKLM\..\RunOnce: [sdkgo.exe] C:\WINDOWS\system32\sdkgo.exe
O4 - HKLM\..\RunOnce: [atlli32.exe] C:\WINDOWS\system32\atlli32.exe
O4 - HKLM\..\RunOnce: [javabn32.exe] C:\WINDOWS\javabn32.exe
O4 - HKLM\..\RunOnce: [mfcoi.exe] C:\WINDOWS\mfcoi.exe
O4 - HKLM\..\RunOnce: [apivx.exe] C:\WINDOWS\apivx.exe
O4 - HKLM\..\RunOnce: [javahd32.exe] C:\WINDOWS\system32\javahd32.exe
O4 - HKLM\..\RunOnce: [sdkyi.exe] C:\WINDOWS\system32\sdkyi.exe
O4 - HKLM\..\RunOnce: [netzv32.exe] C:\WINDOWS\system32\netzv32.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [javadx32.exe] C:\WINDOWS\javadx32.exe
O4 - HKLM\..\RunOnce: [apijz.exe] C:\WINDOWS\apijz.exe
O4 - HKLM\..\RunOnce: [sdknd32.exe] C:\WINDOWS\sdknd32.exe
O4 - HKLM\..\RunOnce: [atlsx.exe] C:\WINDOWS\system32\atlsx.exe
O4 - HKLM\..\RunOnce: [iern32.exe] C:\WINDOWS\system32\iern32.exe
O4 - HKLM\..\RunOnce: [sdkun32.exe] C:\WINDOWS\sdkun32.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\system32\msmy.exe
O4 - HKLM\..\RunOnce: [mfcfj.exe] C:\WINDOWS\mfcfj.exe
O4 - HKLM\..\RunOnce: [addsw.exe] C:\WINDOWS\system32\addsw.exe
O4 - HKLM\..\RunOnce: [ntbf.exe] C:\WINDOWS\system32\ntbf.exe
O4 - HKLM\..\RunOnce: [winvq.exe] C:\WINDOWS\winvq.exe
O4 - HKLM\..\RunOnce: [mskx.exe] C:\WINDOWS\mskx.exe
O4 - HKLM\..\RunOnce: [sdkvq32.exe] C:\WINDOWS\sdkvq32.exe
O4 - HKLM\..\RunOnce: [javaoj.exe] C:\WINDOWS\system32\javaoj.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\iekn.exe
O4 - HKLM\..\RunOnce: [appdg32.exe] C:\WINDOWS\system32\appdg32.exe
O4 - HKLM\..\RunOnce: [apitw.exe] C:\WINDOWS\system32\apitw.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\sdkxs32.exe
O4 - HKLM\..\RunOnce: [ntmp32.exe] C:\WINDOWS\ntmp32.exe
O4 - HKLM\..\RunOnce: [ipbm32.exe] C:\WINDOWS\system32\ipbm32.exe
O4 - HKLM\..\RunOnce: [addfq32.exe] C:\WINDOWS\system32\addfq32.exe
O4 - HKLM\..\RunOnce: [ntac32.exe] C:\WINDOWS\system32\ntac32.exe
O4 - HKLM\..\RunOnce: [crfg.exe] C:\WINDOWS\crfg.exe
O4 - HKLM\..\RunOnce: [sdkog32.exe] C:\WINDOWS\system32\sdkog32.exe
O4 - HKLM\..\RunOnce: [addxm.exe] C:\WINDOWS\addxm.exe
O4 - HKLM\..\RunOnce: [netmb32.exe] C:\WINDOWS\netmb32.exe
O4 - HKLM\..\RunOnce: [javadj.exe] C:\WINDOWS\javadj.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [crqo.exe] C:\WINDOWS\crqo.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [crkh32.exe] C:\WINDOWS\system32\crkh32.exe
O4 - HKLM\..\RunOnce: [netpd32.exe] C:\WINDOWS\netpd32.exe
O4 - HKLM\..\RunOnce: [d3kp32.exe] C:\WINDOWS\system32\d3kp32.exe
O4 - HKLM\..\RunOnce: [sysxt.exe] C:\WINDOWS\sysxt.exe
O4 - HKLM\..\RunOnce: [ieyu32.exe] C:\WINDOWS\system32\ieyu32.exe
O4 - HKLM\..\RunOnce: [msmq32.exe] C:\WINDOWS\msmq32.exe
O4 - HKLM\..\RunOnce: [ntrn32.exe] C:\WINDOWS\system32\ntrn32.exe
O4 - HKLM\..\RunOnce: [iemy32.exe] C:\WINDOWS\iemy32.exe
O4 - HKLM\..\RunOnce: [addrd.exe] C:\WINDOWS\system32\addrd.exe
O4 - HKLM\..\RunOnce: [winal32.exe] C:\WINDOWS\winal32.exe
O4 - HKLM\..\RunOnce: [sysoa32.exe] C:\WINDOWS\system32\sysoa32.exe
O4 - HKLM\..\RunOnce: [sdkte32.exe] C:\WINDOWS\sdkte32.exe
O4 - HKLM\..\RunOnce: [winoq32.exe] C:\WINDOWS\system32\winoq32.exe
O4 - HKLM\..\RunOnce: [atltu.exe] C:\WINDOWS\atltu.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [ieaq32.exe] C:\WINDOWS\ieaq32.exe
O4 - HKLM\..\RunOnce: [sdktz32.exe] C:\WINDOWS\system32\sdktz32.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\ieds32.exe
O4 - HKLM\..\RunOnce: [netda.exe] C:\WINDOWS\system32\netda.exe
O4 - HKLM\..\RunOnce: [atlhe.exe] C:\WINDOWS\atlhe.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [d3ui.exe] C:\WINDOWS\d3ui.exe
O4 - HKLM\..\RunOnce: [winqm32.exe] C:\WINDOWS\winqm32.exe
O4 - HKLM\..\RunOnce: [iean.exe] C:\WINDOWS\iean.exe
O4 - HKLM\..\RunOnce: [iefj32.exe] C:\WINDOWS\iefj32.exe
O4 - HKLM\..\RunOnce: [ieug32.exe] C:\WINDOWS\system32\ieug32.exe
O4 - HKLM\..\RunOnce: [ntzc32.exe] C:\WINDOWS\ntzc32.exe
O4 - HKLM\..\RunOnce: [sysco32.exe] C:\WINDOWS\system32\sysco32.exe
O4 - HKLM\..\RunOnce: [addhs.exe] C:\WINDOWS\addhs.exe
O4 - HKLM\..\RunOnce: [winht32.exe] C:\WINDOWS\system32\winht32.exe
O4 - HKLM\..\RunOnce: [syswq32.exe] C:\WINDOWS\syswq32.exe
O4 - HKLM\..\RunOnce: [javabm32.exe] C:\WINDOWS\system32\javabm32.exe
O4 - HKLM\..\RunOnce: [winey32.exe] C:\WINDOWS\winey32.exe
O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\system32\atlic.exe
O4 - HKLM\..\RunOnce: [javael.exe] C:\WINDOWS\system32\javael.exe
O4 - HKLM\..\RunOnce: [mfcdb32.exe] C:\WINDOWS\system32\mfcdb32.exe
O4 - HKLM\..\RunOnce: [winbr32.exe] C:\WINDOWS\winbr32.exe
O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe
O4 - HKLM\..\RunOnce: [apizw32.exe] C:\WINDOWS\system32\apizw32.exe
O4 - HKLM\..\RunOnce: [sdkpe32.exe] C:\WINDOWS\system32\sdkpe32.exe
O4 - HKLM\..\RunOnce: [ipsh.exe] C:\WINDOWS\ipsh.exe
O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
O4 - HKLM\..\RunOnce: [msim.exe] C:\WINDOWS\system32\msim.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\system32\nthc32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [apifa32.exe] C:\WINDOWS\system32\apifa32.exe
O4 - HKLM\..\RunOnce: [mfcuu32.exe] C:\WINDOWS\system32\mfcuu32.exe
O4 - HKLM\..\RunOnce: [atlir.exe] C:\WINDOWS\atlir.exe
O4 - HKLM\..\RunOnce: [mfcoo.exe] C:\WINDOWS\mfcoo.exe
O4 - HKLM\..\RunOnce: [ipbq.exe] C:\WINDOWS\system32\ipbq.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS\system32\msbk.exe
O4 - HKLM\..\RunOnce: [appgm.exe] C:\WINDOWS\appgm.exe
O4 - HKLM\..\RunOnce: [apphy32.exe] C:\WINDOWS\system32\apphy32.exe
O4 - HKLM\..\RunOnce: [apiww.exe] C:\WINDOWS\apiww.exe
O4 - HKLM\..\RunOnce: [appll.exe] C:\WINDOWS\appll.exe
O4 - HKLM\..\RunOnce: [msve32.exe] C:\WINDOWS\system32\msve32.exe
O4 - HKLM\..\RunOnce: [syshp.exe] C:\WINDOWS\system32\syshp.exe
O4 - HKLM\..\RunOnce: [nettc.exe] C:\WINDOWS\system32\nettc.exe
O4 - HKLM\..\RunOnce: [atllt.exe] C:\WINDOWS\atllt.exe
O4 - HKLM\..\RunOnce: [d3oa.exe] C:\WINDOWS\system32\d3oa.exe
O4 - HKLM\..\RunOnce: [netbu.exe] C:\WINDOWS\netbu.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
O4 - HKLM\..\RunOnce: [sdkvt.exe] C:\WINDOWS\sdkvt.exe
O4 - HKLM\..\RunOnce: [addgh.exe] C:\WINDOWS\addgh.exe
O4 - HKLM\..\RunOnce: [d3lb32.exe] C:\WINDOWS\d3lb32.exe
O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\system32\iefu.exe
O4 - HKLM\..\RunOnce: [ntko32.exe] C:\WINDOWS\system32\ntko32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\addkw.exe
O4 - HKLM\..\RunOnce: [crpq32.exe] C:\WINDOWS\system32\crpq32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\apiij32.exe
O4 - HKLM\..\RunOnce: [sdkhd32.exe] C:\WINDOWS\sdkhd32.exe
O4 - HKLM\..\RunOnce: [apiej.exe] C:\WINDOWS\apiej.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [javada32.exe] C:\WINDOWS\javada32.exe
O4 - HKLM\..\RunOnce: [appli32.exe] C:\WINDOWS\system32\appli32.exe
O4 - HKLM\..\RunOnce: [sdkgt32.exe] C:\WINDOWS\system32\sdkgt32.exe
O4 - HKLM\..\RunOnce: [winxs.exe] C:\WINDOWS\winxs.exe
O4 - HKLM\..\RunOnce: [sdkkh.exe] C:\WINDOWS\sdkkh.exe
O4 - HKLM\..\RunOnce: [crly.exe] C:\WINDOWS\crly.exe
O4 - HKLM\..\RunOnce: [javauy32.exe] C:\WINDOWS\system32\javauy32.exe
O4 - HKLM\..\RunOnce: [javaiv.exe] C:\WINDOWS\javaiv.exe
O4 - HKLM\..\RunOnce: [javaor.exe] C:\WINDOWS\javaor.exe
O4 - HKLM\..\RunOnce: [atlto.exe] C:\WINDOWS\atlto.exe
O4 - HKLM\..\RunOnce: [croz.exe] C:\WINDOWS\croz.exe
O4 - HKLM\..\RunOnce: [ntdp.exe] C:\WINDOWS\ntdp.exe
O4 - HKLM\..\RunOnce: [crqr32.exe] C:\WINDOWS\crqr32.exe
O4 - HKLM\..\RunOnce: [applc32.exe] C:\WINDOWS\system32\applc32.exe
O4 - HKLM\..\RunOnce: [apiqh.exe] C:\WINDOWS\apiqh.exe
O4 - HKLM\..\RunOnce: [atlzh32.exe] C:\WINDOWS\system32\atlzh32.exe
O4 - HKLM\..\RunOnce: [atlne.exe] C:\WINDOWS\atlne.exe
O4 - HKLM\..\RunOnce: [atltt.exe] C:\WINDOWS\system32\atltt.exe
O4 - HKLM\..\RunOnce: [d3zx.exe] C:\WINDOWS\d3zx.exe
O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\mfctj.exe
O4 - HKLM\..\RunOnce: [addiq.exe] C:\WINDOWS\system32\addiq.exe
O4 - HKLM\..\RunOnce: [mstr32.exe] C:\WINDOWS\system32\mstr32.exe
O4 - HKLM\..\RunOnce: [iemc.exe] C:\WINDOWS\iemc.exe
O4 - HKLM\..\RunOnce: [appqg.exe] C:\WINDOWS\appqg.exe
O4 - HKLM\..\RunOnce: [netbh32.exe] C:\WINDOWS\netbh32.exe
O4 - HKLM\..\RunOnce: [sdkro.exe] C:\WINDOWS\sdkro.exe
O4 - HKLM\..\RunOnce: [ievk32.exe] C:\WINDOWS\system32\ievk32.exe
O4 - HKLM\..\RunOnce: [cret.exe] C:\WINDOWS\cret.exe
O4 - HKLM\..\RunOnce: [d3kh32.exe] C:\WINDOWS\d3kh32.exe
O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe
O4 - HKLM\..\RunOnce: [apidi32.exe] C:\WINDOWS\apidi32.exe
O4 - HKLM\..\RunOnce: [d3yu32.exe] C:\WINDOWS\system32\d3yu32.exe
O4 - HKLM\..\RunOnce: [sysly.exe] C:\WINDOWS\system32\sysly.exe
O4 - HKLM\..\RunOnce: [msmz32.exe] C:\WINDOWS\msmz32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\system32\ipfs32.exe
O4 - HKLM\..\RunOnce: [sdkcy.exe] C:\WINDOWS\system32\sdkcy.exe
O4 - HKLM\..\RunOnce: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [ntir32.exe] C:\WINDOWS\ntir32.exe
O4 - HKLM\..\RunOnce: [apptk32.exe] C:\WINDOWS\apptk32.exe
O4 - HKLM\..\RunOnce: [atlba32.exe] C:\WINDOWS\atlba32.exe
O4 - HKLM\..\RunOnce: [ntlt32.exe] C:\WINDOWS\ntlt32.exe
O4 - HKLM\..\RunOnce: [winkb.exe] C:\WINDOWS\system32\winkb.exe
O4 - HKLM\..\RunOnce: [msof.exe] C:\WINDOWS\system32\msof.exe
O4 - HKLM\..\RunOnce: [atlec32.exe] C:\WINDOWS\atlec32.exe
O4 - HKLM\..\RunOnce: [netuj32.exe] C:\WINDOWS\netuj32.exe
O4 - HKLM\..\RunOnce: [mfcpn.exe] C:\WINDOWS\mfcpn.exe
O4 - HKLM\..\RunOnce: [sysod32.exe] C:\WINDOWS\sysod32.exe
O4 - HKLM\..\RunOnce: [crms32.exe] C:\WINDOWS\system32\crms32.exe
O4 - HKLM\..\RunOnce: [crma.exe] C:\WINDOWS\system32\crma.exe
O4 - HKLM\..\RunOnce: [javavb.exe] C:\WINDOWS\javavb.exe
O4 - HKLM\..\RunOnce: [winky.exe] C:\WINDOWS\system32\winky.exe
O4 - HKLM\..\RunOnce: [msaf32.exe] C:\WINDOWS\system32\msaf32.exe
O4 - HKLM\..\RunOnce: [iety.exe] C:\WINDOWS\iety.exe
O4 - HKLM\..\RunOnce: [atlpc32.exe] C:\WINDOWS\atlpc32.exe
O4 - HKLM\..\RunOnce: [winzd.exe] C:\WINDOWS\winzd.exe
O4 - HKLM\..\RunOnce: [crst.exe] C:\WINDOWS\system32\crst.exe
O4 - HKLM\..\RunOnce: [ntvf.exe] C:\WINDOWS\ntvf.exe
O4 - HKLM\..\RunOnce: [ielu32.exe] C:\WINDOWS\system32\ielu32.exe
O4 - HKLM\..\RunOnce: [apprg32.exe] C:\WINDOWS\apprg32.exe
O4 - HKLM\..\RunOnce: [addbc.exe] C:\WINDOWS\system32\addbc.exe
O4 - HKLM\..\RunOnce: [netkp32.exe] C:\WINDOWS\system32\netkp32.exe
O4 - HKLM\..\RunOnce: [apifg32.exe] C:\WINDOWS\apifg32.exe
O4 - HKLM\..\RunOnce: [ipck.exe] C:\WINDOWS\ipck.exe
O4 - HKLM\..\RunOnce: [winbe.exe] C:\WINDOWS\winbe.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11772453733709a85601/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120103655171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/View22RTE.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
Joined
Jul 26, 2002
Messages
46,349
** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


* I am attaching a delete.zip file to this post. It contains a delete.bat file. Download it and unzip it to extract the delete.bat file it contains to your desktop and have it ready to run later in safe mode.


* Click here to download cwsserviceremove.zip and unzip it to your desktop.



* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


* Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Do Not run it yet.



* Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.



* Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"



* Click here for info on how to boot to safe mode if you don't already know how.



**After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window look for any one of these four services:

Network Security Service

Network Security Service (NSS)

Workstation Netlogon Service

Remote Procedure Call (RPC) Helper
.

You will only have one of them so find the one you have.
Rightclick it and choose "Properties". (See *Note below if you get an error). On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that option is not there either just skip this step and proceed with the rest. Also it is possible that none of the above are there. If that is the case, skip this step and move on.

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.


** Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



* Run Hijack This and put a check by all of the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rhisi.dll/sp.html#69589

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {F2938D55-FF24-9FAE-0746-FFB05994C97B} - C:\WINDOWS\system32\javakp.dll

O4 - HKLM\..\Run: [sdkcf32.exe] C:\WINDOWS\system32\sdkcf32.exe

O4 - HKLM\..\RunOnce: [apius32.exe] C:\WINDOWS\system32\apius32.exe
O4 - HKLM\..\RunOnce: [ntiy.exe] C:\WINDOWS\ntiy.exe
O4 - HKLM\..\RunOnce: [crkd.exe] C:\WINDOWS\system32\crkd.exe
O4 - HKLM\..\RunOnce: [appad32.exe] C:\WINDOWS\appad32.exe
O4 - HKLM\..\RunOnce: [d3to32.exe] C:\WINDOWS\d3to32.exe
O4 - HKLM\..\RunOnce: [ntex.exe] C:\WINDOWS\ntex.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\winyj.exe
O4 - HKLM\..\RunOnce: [javaje32.exe] C:\WINDOWS\javaje32.exe
O4 - HKLM\..\RunOnce: [atlcx32.exe] C:\WINDOWS\system32\atlcx32.exe
O4 - HKLM\..\RunOnce: [mfccn32.exe] C:\WINDOWS\system32\mfccn32.exe
O4 - HKLM\..\RunOnce: [sdkmg32.exe] C:\WINDOWS\sdkmg32.exe
O4 - HKLM\..\RunOnce: [applo.exe] C:\WINDOWS\system32\applo.exe
O4 - HKLM\..\RunOnce: [sysdo32.exe] C:\WINDOWS\sysdo32.exe
O4 - HKLM\..\RunOnce: [atltm32.exe] C:\WINDOWS\atltm32.exe
O4 - HKLM\..\RunOnce: [iehg.exe] C:\WINDOWS\system32\iehg.exe
O4 - HKLM\..\RunOnce: [sdkgt.exe] C:\WINDOWS\system32\sdkgt.exe
O4 - HKLM\..\RunOnce: [atllv.exe] C:\WINDOWS\system32\atllv.exe
O4 - HKLM\..\RunOnce: [d3zs.exe] C:\WINDOWS\d3zs.exe
O4 - HKLM\..\RunOnce: [sysvy.exe] C:\WINDOWS\system32\sysvy.exe
O4 - HKLM\..\RunOnce: [mfcpb.exe] C:\WINDOWS\system32\mfcpb.exe
O4 - HKLM\..\RunOnce: [syszt32.exe] C:\WINDOWS\syszt32.exe
O4 - HKLM\..\RunOnce: [javafw.exe] C:\WINDOWS\javafw.exe
O4 - HKLM\..\RunOnce: [sdknw32.exe] C:\WINDOWS\system32\sdknw32.exe
O4 - HKLM\..\RunOnce: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\RunOnce: [ntut32.exe] C:\WINDOWS\ntut32.exe
O4 - HKLM\..\RunOnce: [atlhn.exe] C:\WINDOWS\system32\atlhn.exe
O4 - HKLM\..\RunOnce: [javaby.exe] C:\WINDOWS\system32\javaby.exe
O4 - HKLM\..\RunOnce: [ntjn.exe] C:\WINDOWS\system32\ntjn.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\appwi32.exe
O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
O4 - HKLM\..\RunOnce: [apibk.exe] C:\WINDOWS\system32\apibk.exe
O4 - HKLM\..\RunOnce: [addpu32.exe] C:\WINDOWS\system32\addpu32.exe
O4 - HKLM\..\RunOnce: [cruw.exe] C:\WINDOWS\cruw.exe
O4 - HKLM\..\RunOnce: [mste.exe] C:\WINDOWS\system32\mste.exe
O4 - HKLM\..\RunOnce: [sdkgo.exe] C:\WINDOWS\system32\sdkgo.exe
O4 - HKLM\..\RunOnce: [atlli32.exe] C:\WINDOWS\system32\atlli32.exe
O4 - HKLM\..\RunOnce: [javabn32.exe] C:\WINDOWS\javabn32.exe
O4 - HKLM\..\RunOnce: [mfcoi.exe] C:\WINDOWS\mfcoi.exe
O4 - HKLM\..\RunOnce: [apivx.exe] C:\WINDOWS\apivx.exe
O4 - HKLM\..\RunOnce: [javahd32.exe] C:\WINDOWS\system32\javahd32.exe
O4 - HKLM\..\RunOnce: [sdkyi.exe] C:\WINDOWS\system32\sdkyi.exe
O4 - HKLM\..\RunOnce: [netzv32.exe] C:\WINDOWS\system32\netzv32.exe
O4 - HKLM\..\RunOnce: [winex.exe] C:\WINDOWS\system32\winex.exe
O4 - HKLM\..\RunOnce: [javadx32.exe] C:\WINDOWS\javadx32.exe
O4 - HKLM\..\RunOnce: [apijz.exe] C:\WINDOWS\apijz.exe
O4 - HKLM\..\RunOnce: [sdknd32.exe] C:\WINDOWS\sdknd32.exe
O4 - HKLM\..\RunOnce: [atlsx.exe] C:\WINDOWS\system32\atlsx.exe
O4 - HKLM\..\RunOnce: [iern32.exe] C:\WINDOWS\system32\iern32.exe
O4 - HKLM\..\RunOnce: [sdkun32.exe] C:\WINDOWS\sdkun32.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\system32\msmy.exe
O4 - HKLM\..\RunOnce: [mfcfj.exe] C:\WINDOWS\mfcfj.exe
O4 - HKLM\..\RunOnce: [addsw.exe] C:\WINDOWS\system32\addsw.exe
O4 - HKLM\..\RunOnce: [ntbf.exe] C:\WINDOWS\system32\ntbf.exe
O4 - HKLM\..\RunOnce: [winvq.exe] C:\WINDOWS\winvq.exe
O4 - HKLM\..\RunOnce: [mskx.exe] C:\WINDOWS\mskx.exe
O4 - HKLM\..\RunOnce: [sdkvq32.exe] C:\WINDOWS\sdkvq32.exe
O4 - HKLM\..\RunOnce: [javaoj.exe] C:\WINDOWS\system32\javaoj.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\iekn.exe
O4 - HKLM\..\RunOnce: [appdg32.exe] C:\WINDOWS\system32\appdg32.exe
O4 - HKLM\..\RunOnce: [apitw.exe] C:\WINDOWS\system32\apitw.exe
O4 - HKLM\..\RunOnce: [sdkxs32.exe] C:\WINDOWS\sdkxs32.exe
O4 - HKLM\..\RunOnce: [ntmp32.exe] C:\WINDOWS\ntmp32.exe
O4 - HKLM\..\RunOnce: [ipbm32.exe] C:\WINDOWS\system32\ipbm32.exe
O4 - HKLM\..\RunOnce: [addfq32.exe] C:\WINDOWS\system32\addfq32.exe
O4 - HKLM\..\RunOnce: [ntac32.exe] C:\WINDOWS\system32\ntac32.exe
O4 - HKLM\..\RunOnce: [crfg.exe] C:\WINDOWS\crfg.exe
O4 - HKLM\..\RunOnce: [sdkog32.exe] C:\WINDOWS\system32\sdkog32.exe
O4 - HKLM\..\RunOnce: [addxm.exe] C:\WINDOWS\addxm.exe
O4 - HKLM\..\RunOnce: [netmb32.exe] C:\WINDOWS\netmb32.exe
O4 - HKLM\..\RunOnce: [javadj.exe] C:\WINDOWS\javadj.exe
O4 - HKLM\..\RunOnce: [iehn32.exe] C:\WINDOWS\iehn32.exe
O4 - HKLM\..\RunOnce: [crqo.exe] C:\WINDOWS\crqo.exe
O4 - HKLM\..\RunOnce: [d3wk32.exe] C:\WINDOWS\d3wk32.exe
O4 - HKLM\..\RunOnce: [crkh32.exe] C:\WINDOWS\system32\crkh32.exe
O4 - HKLM\..\RunOnce: [netpd32.exe] C:\WINDOWS\netpd32.exe
O4 - HKLM\..\RunOnce: [d3kp32.exe] C:\WINDOWS\system32\d3kp32.exe
O4 - HKLM\..\RunOnce: [sysxt.exe] C:\WINDOWS\sysxt.exe
O4 - HKLM\..\RunOnce: [ieyu32.exe] C:\WINDOWS\system32\ieyu32.exe
O4 - HKLM\..\RunOnce: [msmq32.exe] C:\WINDOWS\msmq32.exe
O4 - HKLM\..\RunOnce: [ntrn32.exe] C:\WINDOWS\system32\ntrn32.exe
O4 - HKLM\..\RunOnce: [iemy32.exe] C:\WINDOWS\iemy32.exe
O4 - HKLM\..\RunOnce: [addrd.exe] C:\WINDOWS\system32\addrd.exe
O4 - HKLM\..\RunOnce: [winal32.exe] C:\WINDOWS\winal32.exe
O4 - HKLM\..\RunOnce: [sysoa32.exe] C:\WINDOWS\system32\sysoa32.exe
O4 - HKLM\..\RunOnce: [sdkte32.exe] C:\WINDOWS\sdkte32.exe
O4 - HKLM\..\RunOnce: [winoq32.exe] C:\WINDOWS\system32\winoq32.exe
O4 - HKLM\..\RunOnce: [atltu.exe] C:\WINDOWS\atltu.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [ieaq32.exe] C:\WINDOWS\ieaq32.exe
O4 - HKLM\..\RunOnce: [sdktz32.exe] C:\WINDOWS\system32\sdktz32.exe
O4 - HKLM\..\RunOnce: [ieds32.exe] C:\WINDOWS\ieds32.exe
O4 - HKLM\..\RunOnce: [netda.exe] C:\WINDOWS\system32\netda.exe
O4 - HKLM\..\RunOnce: [atlhe.exe] C:\WINDOWS\atlhe.exe
O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\system32\sdkwb32.exe
O4 - HKLM\..\RunOnce: [d3ui.exe] C:\WINDOWS\d3ui.exe
O4 - HKLM\..\RunOnce: [winqm32.exe] C:\WINDOWS\winqm32.exe
O4 - HKLM\..\RunOnce: [iean.exe] C:\WINDOWS\iean.exe
O4 - HKLM\..\RunOnce: [iefj32.exe] C:\WINDOWS\iefj32.exe
O4 - HKLM\..\RunOnce: [ieug32.exe] C:\WINDOWS\system32\ieug32.exe
O4 - HKLM\..\RunOnce: [ntzc32.exe] C:\WINDOWS\ntzc32.exe
O4 - HKLM\..\RunOnce: [sysco32.exe] C:\WINDOWS\system32\sysco32.exe
O4 - HKLM\..\RunOnce: [addhs.exe] C:\WINDOWS\addhs.exe
O4 - HKLM\..\RunOnce: [winht32.exe] C:\WINDOWS\system32\winht32.exe
O4 - HKLM\..\RunOnce: [syswq32.exe] C:\WINDOWS\syswq32.exe
O4 - HKLM\..\RunOnce: [javabm32.exe] C:\WINDOWS\system32\javabm32.exe
O4 - HKLM\..\RunOnce: [winey32.exe] C:\WINDOWS\winey32.exe
O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\system32\atlic.exe
O4 - HKLM\..\RunOnce: [javael.exe] C:\WINDOWS\system32\javael.exe
O4 - HKLM\..\RunOnce: [mfcdb32.exe] C:\WINDOWS\system32\mfcdb32.exe
O4 - HKLM\..\RunOnce: [winbr32.exe] C:\WINDOWS\winbr32.exe
O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe
O4 - HKLM\..\RunOnce: [apizw32.exe] C:\WINDOWS\system32\apizw32.exe
O4 - HKLM\..\RunOnce: [sdkpe32.exe] C:\WINDOWS\system32\sdkpe32.exe
O4 - HKLM\..\RunOnce: [ipsh.exe] C:\WINDOWS\ipsh.exe
O4 - HKLM\..\RunOnce: [addrx32.exe] C:\WINDOWS\addrx32.exe
O4 - HKLM\..\RunOnce: [msim.exe] C:\WINDOWS\system32\msim.exe
O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\system32\nthc32.exe
O4 - HKLM\..\RunOnce: [mfcfs32.exe] C:\WINDOWS\mfcfs32.exe
O4 - HKLM\..\RunOnce: [apifa32.exe] C:\WINDOWS\system32\apifa32.exe
O4 - HKLM\..\RunOnce: [mfcuu32.exe] C:\WINDOWS\system32\mfcuu32.exe
O4 - HKLM\..\RunOnce: [atlir.exe] C:\WINDOWS\atlir.exe
O4 - HKLM\..\RunOnce: [mfcoo.exe] C:\WINDOWS\mfcoo.exe
O4 - HKLM\..\RunOnce: [ipbq.exe] C:\WINDOWS\system32\ipbq.exe
O4 - HKLM\..\RunOnce: [msbk.exe] C:\WINDOWS\system32\msbk.exe
O4 - HKLM\..\RunOnce: [appgm.exe] C:\WINDOWS\appgm.exe
O4 - HKLM\..\RunOnce: [apphy32.exe] C:\WINDOWS\system32\apphy32.exe
O4 - HKLM\..\RunOnce: [apiww.exe] C:\WINDOWS\apiww.exe
O4 - HKLM\..\RunOnce: [appll.exe] C:\WINDOWS\appll.exe
O4 - HKLM\..\RunOnce: [msve32.exe] C:\WINDOWS\system32\msve32.exe
O4 - HKLM\..\RunOnce: [syshp.exe] C:\WINDOWS\system32\syshp.exe
O4 - HKLM\..\RunOnce: [nettc.exe] C:\WINDOWS\system32\nettc.exe
O4 - HKLM\..\RunOnce: [atllt.exe] C:\WINDOWS\atllt.exe
O4 - HKLM\..\RunOnce: [d3oa.exe] C:\WINDOWS\system32\d3oa.exe
O4 - HKLM\..\RunOnce: [netbu.exe] C:\WINDOWS\netbu.exe
O4 - HKLM\..\RunOnce: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
O4 - HKLM\..\RunOnce: [sdkvt.exe] C:\WINDOWS\sdkvt.exe
O4 - HKLM\..\RunOnce: [addgh.exe] C:\WINDOWS\addgh.exe
O4 - HKLM\..\RunOnce: [d3lb32.exe] C:\WINDOWS\d3lb32.exe
O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\system32\iefu.exe
O4 - HKLM\..\RunOnce: [ntko32.exe] C:\WINDOWS\system32\ntko32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\addkw.exe
O4 - HKLM\..\RunOnce: [crpq32.exe] C:\WINDOWS\system32\crpq32.exe
O4 - HKLM\..\RunOnce: [apiij32.exe] C:\WINDOWS\apiij32.exe
O4 - HKLM\..\RunOnce: [sdkhd32.exe] C:\WINDOWS\sdkhd32.exe
O4 - HKLM\..\RunOnce: [apiej.exe] C:\WINDOWS\apiej.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [javada32.exe] C:\WINDOWS\javada32.exe
O4 - HKLM\..\RunOnce: [appli32.exe] C:\WINDOWS\system32\appli32.exe
O4 - HKLM\..\RunOnce: [sdkgt32.exe] C:\WINDOWS\system32\sdkgt32.exe
O4 - HKLM\..\RunOnce: [winxs.exe] C:\WINDOWS\winxs.exe
O4 - HKLM\..\RunOnce: [sdkkh.exe] C:\WINDOWS\sdkkh.exe
O4 - HKLM\..\RunOnce: [crly.exe] C:\WINDOWS\crly.exe
O4 - HKLM\..\RunOnce: [javauy32.exe] C:\WINDOWS\system32\javauy32.exe
O4 - HKLM\..\RunOnce: [javaiv.exe] C:\WINDOWS\javaiv.exe
O4 - HKLM\..\RunOnce: [javaor.exe] C:\WINDOWS\javaor.exe
O4 - HKLM\..\RunOnce: [atlto.exe] C:\WINDOWS\atlto.exe
O4 - HKLM\..\RunOnce: [croz.exe] C:\WINDOWS\croz.exe
O4 - HKLM\..\RunOnce: [ntdp.exe] C:\WINDOWS\ntdp.exe
O4 - HKLM\..\RunOnce: [crqr32.exe] C:\WINDOWS\crqr32.exe
O4 - HKLM\..\RunOnce: [applc32.exe] C:\WINDOWS\system32\applc32.exe
O4 - HKLM\..\RunOnce: [apiqh.exe] C:\WINDOWS\apiqh.exe
O4 - HKLM\..\RunOnce: [atlzh32.exe] C:\WINDOWS\system32\atlzh32.exe
O4 - HKLM\..\RunOnce: [atlne.exe] C:\WINDOWS\atlne.exe
O4 - HKLM\..\RunOnce: [atltt.exe] C:\WINDOWS\system32\atltt.exe
O4 - HKLM\..\RunOnce: [d3zx.exe] C:\WINDOWS\d3zx.exe
O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\mfctj.exe
O4 - HKLM\..\RunOnce: [addiq.exe] C:\WINDOWS\system32\addiq.exe
O4 - HKLM\..\RunOnce: [mstr32.exe] C:\WINDOWS\system32\mstr32.exe
O4 - HKLM\..\RunOnce: [iemc.exe] C:\WINDOWS\iemc.exe
O4 - HKLM\..\RunOnce: [appqg.exe] C:\WINDOWS\appqg.exe
O4 - HKLM\..\RunOnce: [netbh32.exe] C:\WINDOWS\netbh32.exe
O4 - HKLM\..\RunOnce: [sdkro.exe] C:\WINDOWS\sdkro.exe
O4 - HKLM\..\RunOnce: [ievk32.exe] C:\WINDOWS\system32\ievk32.exe
O4 - HKLM\..\RunOnce: [cret.exe] C:\WINDOWS\cret.exe
O4 - HKLM\..\RunOnce: [d3kh32.exe] C:\WINDOWS\d3kh32.exe
O4 - HKLM\..\RunOnce: [crze32.exe] C:\WINDOWS\crze32.exe
O4 - HKLM\..\RunOnce: [apidi32.exe] C:\WINDOWS\apidi32.exe
O4 - HKLM\..\RunOnce: [d3yu32.exe] C:\WINDOWS\system32\d3yu32.exe
O4 - HKLM\..\RunOnce: [sysly.exe] C:\WINDOWS\system32\sysly.exe
O4 - HKLM\..\RunOnce: [msmz32.exe] C:\WINDOWS\msmz32.exe
O4 - HKLM\..\RunOnce: [msav32.exe] C:\WINDOWS\system32\msav32.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\system32\ipfs32.exe
O4 - HKLM\..\RunOnce: [sdkcy.exe] C:\WINDOWS\system32\sdkcy.exe
O4 - HKLM\..\RunOnce: [ntoy.exe] C:\WINDOWS\system32\ntoy.exe
O4 - HKLM\..\RunOnce: [ntir32.exe] C:\WINDOWS\ntir32.exe
O4 - HKLM\..\RunOnce: [apptk32.exe] C:\WINDOWS\apptk32.exe
O4 - HKLM\..\RunOnce: [atlba32.exe] C:\WINDOWS\atlba32.exe
O4 - HKLM\..\RunOnce: [ntlt32.exe] C:\WINDOWS\ntlt32.exe
O4 - HKLM\..\RunOnce: [winkb.exe] C:\WINDOWS\system32\winkb.exe
O4 - HKLM\..\RunOnce: [msof.exe] C:\WINDOWS\system32\msof.exe
O4 - HKLM\..\RunOnce: [atlec32.exe] C:\WINDOWS\atlec32.exe
O4 - HKLM\..\RunOnce: [netuj32.exe] C:\WINDOWS\netuj32.exe
O4 - HKLM\..\RunOnce: [mfcpn.exe] C:\WINDOWS\mfcpn.exe
O4 - HKLM\..\RunOnce: [sysod32.exe] C:\WINDOWS\sysod32.exe
O4 - HKLM\..\RunOnce: [crms32.exe] C:\WINDOWS\system32\crms32.exe
O4 - HKLM\..\RunOnce: [crma.exe] C:\WINDOWS\system32\crma.exe
O4 - HKLM\..\RunOnce: [javavb.exe] C:\WINDOWS\javavb.exe
O4 - HKLM\..\RunOnce: [winky.exe] C:\WINDOWS\system32\winky.exe
O4 - HKLM\..\RunOnce: [msaf32.exe] C:\WINDOWS\system32\msaf32.exe
O4 - HKLM\..\RunOnce: [iety.exe] C:\WINDOWS\iety.exe
O4 - HKLM\..\RunOnce: [atlpc32.exe] C:\WINDOWS\atlpc32.exe
O4 - HKLM\..\RunOnce: [winzd.exe] C:\WINDOWS\winzd.exe
O4 - HKLM\..\RunOnce: [crst.exe] C:\WINDOWS\system32\crst.exe
O4 - HKLM\..\RunOnce: [ntvf.exe] C:\WINDOWS\ntvf.exe
O4 - HKLM\..\RunOnce: [ielu32.exe] C:\WINDOWS\system32\ielu32.exe
O4 - HKLM\..\RunOnce: [apprg32.exe] C:\WINDOWS\apprg32.exe
O4 - HKLM\..\RunOnce: [addbc.exe] C:\WINDOWS\system32\addbc.exe
O4 - HKLM\..\RunOnce: [netkp32.exe] C:\WINDOWS\system32\netkp32.exe
O4 - HKLM\..\RunOnce: [apifg32.exe] C:\WINDOWS\apifg32.exe
O4 - HKLM\..\RunOnce: [ipck.exe] C:\WINDOWS\ipck.exe
O4 - HKLM\..\RunOnce: [winbe.exe] C:\WINDOWS\winbe.exe

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/View22RTE.cab


After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.



* Doubleclick on the delete.bat file to run it. Let it run to completion.


* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.



* Start Ccleaner and click Run Cleaner



* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.



** Restart back into Windows normally now and do the following:



* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.



* If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)



* Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.



* control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.



* IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

Attachments

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
Thanks Firman, I downloaded and ran the files as per your instructions. Also ran the activescan. New logfile and scan is as follows;

Logfile of HijackThis v1.99.1
Scan saved at 6:13:35 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\atlpg.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\Hi-Jack This\HijackThis v1.99.1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11772453733709a85601/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120103655171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlpg.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Results of active scan'


Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\appxd32.exe
Virus:Trj/WmvDownloader.A Disinfected D:\Saved DAT Files\download109729410312695968.dat
I manually deleted appxd32.exe and then restored my homepage.

I have been on line for a few minutes and as yet no ads or browser hijacking has occurred. Early in the A.M. when I finished running your instructions I did have a problem with WinXP shutting down. It went through the motions all the way to the part where it says "Logging Off" then it just hung there for about 10 minutes.

I finally just had to turn it off.
 
Joined
Jul 26, 2002
Messages
46,349
The log looks good now. Let's run one more scan.

Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan
 

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
Thanks for the quick reply Firman, here's the results of the scan and the new logfile.

Trend Micro Housecall Virus Scan0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check2 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_1701CookieRemoval successful
COOKIE_2842CookieRemoval successful




Microsoft Vulnerability CheckNo vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix


Logfile of HijackThis v1.99.1
Scan saved at 7:43:50 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\atlpg.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hi-Jack This\HijackThis v1.99.1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11772453733709a85601/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120103655171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlpg.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
Joined
Jul 26, 2002
Messages
46,349
You still have this:

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlpg.exe" /s (file missing)


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Network Security Service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


** Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.


* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.


* Start Ccleaner and click Run Cleaner



* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.



** Restart back into Windows normally now.


Post a new HiJackThis log
 

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
Okay, that is done and here is the new logfile

Logfile of HijackThis v1.99.1
Scan saved at 9:24:23 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\Hi-Jack This\HijackThis v1.99.1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11772453733709a85601/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120103655171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
Joined
Jul 26, 2002
Messages
46,349
Clean! (y)

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
 

old_lion

Thread Starter
Joined
Jul 4, 2005
Messages
27
Thanks for the assistance Firman, I have created the restore point as instructed. I am still having shutdown problems but then that is another thread to start in another forum.

I have been on the Web for a few minutes and there have been "0" ads, popups, etc; so I think we may have killed the beast.
I will check my security settings as suggested.

Again, Thank You. old_lion
 
Joined
Jul 26, 2002
Messages
46,349
Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top