Logfile of HijackThis v1.97.7
Scan saved at 11:52:31 PM, on 9/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\appgd32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\apikg32.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Juno\exec.exe
C:\WINDOWS\System32\Fnjt.exe
C:\WINDOWS\System32\GoxOY.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\qsacc\x1exec.exe
C:\Program Files\MYIE2\MyIE.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Gary\My Documents\fly patterns\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://aifind.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guobp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://guobp.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Gary\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://guobp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Gary\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guobp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://guobp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\guobp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://auto.search.msn.com/response.asp?MT=www.hotmail.com&srch=3&prov=&utf8
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50171
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2DB33C9A-486B-0088-7058-260CEBB2901E} - C:\WINDOWS\system32\sdkyb.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [apikg32.exe] C:\WINDOWS\system32\apikg32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [
[email protected]] C:\WINDOWS\System32\Qep78k1i.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Gary\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [sti] C:\WINDOWS\System32\sti.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKLM\..\RunOnce: [atlwr32.exe] C:\WINDOWS\system32\atlwr32.exe
O4 - HKLM\..\RunOnce: [mfcjn.exe] C:\WINDOWS\system32\mfcjn.exe
O4 - HKLM\..\RunOnce: [netlt.exe] C:\WINDOWS\system32\netlt.exe
O4 - HKLM\..\RunOnce: [sysoi32.exe] C:\WINDOWS\system32\sysoi32.exe
O4 - HKLM\..\RunOnce: [javals.exe] C:\WINDOWS\system32\javals.exe
O4 - HKLM\..\RunOnce: [ntbe.exe] C:\WINDOWS\ntbe.exe
O4 - HKLM\..\RunOnce: [ipml.exe] C:\WINDOWS\ipml.exe
O4 - HKLM\..\RunOnce: [mfcnj.exe] C:\WINDOWS\system32\mfcnj.exe
O4 - HKLM\..\RunOnce: [apppu.exe] C:\WINDOWS\apppu.exe
O4 - HKLM\..\RunOnce: [netas.exe] C:\WINDOWS\netas.exe
O4 - HKLM\..\RunOnce: [sdkmp32.exe] C:\WINDOWS\system32\sdkmp32.exe
O4 - HKLM\..\RunOnce: [atltv32.exe] C:\WINDOWS\atltv32.exe
O4 - HKLM\..\RunOnce: [javaux32.exe] C:\WINDOWS\javaux32.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [crrw.exe] C:\WINDOWS\crrw.exe
O4 - HKLM\..\RunOnce: [iees.exe] C:\WINDOWS\iees.exe
O4 - HKLM\..\RunOnce: [ipea32.exe] C:\WINDOWS\ipea32.exe
O4 - HKLM\..\RunOnce: [addhp.exe] C:\WINDOWS\system32\addhp.exe
O4 - HKLM\..\RunOnce: [ipmv.exe] C:\WINDOWS\system32\ipmv.exe
O4 - HKLM\..\RunOnce: [ipuq32.exe] C:\WINDOWS\ipuq32.exe
O4 - HKLM\..\RunOnce: [apicl.exe] C:\WINDOWS\apicl.exe
O4 - HKLM\..\RunOnce: [ipil32.exe] C:\WINDOWS\system32\ipil32.exe
O4 - HKLM\..\RunOnce: [addnf.exe] C:\WINDOWS\addnf.exe
O4 - HKLM\..\RunOnce: [javaox.exe] C:\WINDOWS\javaox.exe
O4 - HKLM\..\RunOnce: [winmq.exe] C:\WINDOWS\system32\winmq.exe
O4 - HKLM\..\RunOnce: [sdkre.exe] C:\WINDOWS\system32\sdkre.exe
O4 - HKLM\..\RunOnce: [syszw32.exe] C:\WINDOWS\syszw32.exe
O4 - HKLM\..\RunOnce: [ntwo.exe] C:\WINDOWS\system32\ntwo.exe
O4 - HKLM\..\RunOnce: [msxb.exe] C:\WINDOWS\system32\msxb.exe
O4 - HKLM\..\RunOnce: [javazh.exe] C:\WINDOWS\system32\javazh.exe
O4 - HKLM\..\RunOnce: [mfckp32.exe] C:\WINDOWS\mfckp32.exe
O4 - HKLM\..\RunOnce: [netfa.exe] C:\WINDOWS\system32\netfa.exe
O4 - HKLM\..\RunOnce: [ipas.exe] C:\WINDOWS\ipas.exe
O4 - HKLM\..\RunOnce: [mfcud.exe] C:\WINDOWS\mfcud.exe
O4 - HKLM\..\RunOnce: [addrd32.exe] C:\WINDOWS\addrd32.exe
O4 - HKLM\..\RunOnce: [atlyp.exe] C:\WINDOWS\system32\atlyp.exe
O4 - HKLM\..\RunOnce: [msne32.exe] C:\WINDOWS\msne32.exe
O4 - HKLM\..\RunOnce: [appcl.exe] C:\WINDOWS\system32\appcl.exe
O4 - HKLM\..\RunOnce: [atlvy.exe] C:\WINDOWS\system32\atlvy.exe
O4 - HKLM\..\RunOnce: [mses.exe] C:\WINDOWS\mses.exe
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\system32\d3wa.exe
O4 - HKLM\..\RunOnce: [d3sp.exe] C:\WINDOWS\system32\d3sp.exe
O4 - HKLM\..\RunOnce: [sysds32.exe] C:\WINDOWS\system32\sysds32.exe
O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update13.js
O4 - HKLM\..\RunOnce: [d3hn.exe] C:\WINDOWS\d3hn.exe
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\Juno\qsacc\x1exec.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_f...842869220dcf:31e1e886df05c54f80cdc9defbb7eddc
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38032.2208680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA3E9C60-A568-4981-B5E7-82ABFBA30372}: NameServer = 64.136.20.121 64.136.28.121