1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: TROJ_STARTPAG.RE, PSGuard, desktop hijack

Discussion in 'Virus & Other Malware Removal' started by nv13, Aug 21, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    Hello,
    I contracted this spyware on my computer. I use Trend Micro AV.

    Everytime I start/restart my computer, IE opens by itself and Trend Micro

    shows me a message regarding quarantine of "TROJ_STARTPAG.RE". Also, my

    desktop has been hijacked. When I try to access it through the conttrol

    panel, it does not show me the Desktop tab. The desktop background is black

    with a warning that my "Computer is infected.....etc, etc". I also used

    Micosoft Antispyware, but it does not detect anything. Trend Micro detects

    "ADW_SEARChAIS.A".
    I will appreciate if someone could help me get rid of this annoying

    background.

    Thank You.

    ps: here is the logfle from Hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 3:53:07 PM, on 8/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\MotorolaDAP.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\TOSHIBA\IVP\ISM\pinger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\WINDOWS\ipvi32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Nirav Vora\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mfigg.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mfigg.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ubtwy.dll/sp.html#12047
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Class - {D800AD07-3198-4760-E8A4-33F3BB42B482} - C:\WINDOWS\appbf.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [SC3300CC] C:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
    O4 - HKLM\..\Run: [USBPNP] C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
    O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
    O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
    O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
    O4 - HKLM\..\RunOnce: [sdknp.exe] C:\WINDOWS\system32\sdknp.exe
    O4 - HKLM\..\RunOnce: [winwv32.exe] C:\WINDOWS\system32\winwv32.exe
    O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
    O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\system32\ntuw32.exe
    O4 - HKLM\..\RunOnce: [netsp.exe] C:\WINDOWS\system32\netsp.exe
    O4 - HKLM\..\RunOnce: [netpy32.exe] C:\WINDOWS\netpy32.exe
    O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
    O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
    O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe
    O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\ippe32.exe
    O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
    O4 - HKLM\..\RunOnce: [ietx32.exe] C:\WINDOWS\system32\ietx32.exe
    O4 - HKLM\..\RunOnce: [ntyr.exe] C:\WINDOWS\ntyr.exe
    O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
    O4 - HKLM\..\RunOnce: [addxu.exe] C:\WINDOWS\system32\addxu.exe
    O4 - HKLM\..\RunOnce: [ipbl.exe] C:\WINDOWS\ipbl.exe
    O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mscz.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
    O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
     
  2. Sponsor

  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi nv13

    Welcome to TSG! :)

    * Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan and the ewido scan
     
  4. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    Thank you for yor prompt reply. I did everything that you advised me to do. I couldn't get "ewido" to work properly. It would start the scanning and started giving me messages regarding removing the componentsand I hit ok everytime. It did that for sometime and then it just stopped working and the window closed. I repaeated it to get the same result. However I went ahead and ran the active scan. Also, when I clicked on the "web" tab after selecting the "cutomize desktop" option, I found a "My current Homepage" option but couldn't delete it. I still have TROJ_STARTPAG.RE on my computer, although I could change the desktop background. So the annoying background is gone now.
    I would really appreciate if you could inform me on how to get rid of the virus.

    Thank you,
    nv13

    ps: here are the log files from Hijackthis and Activescan

    From Activescan:

    Incident Status Location

    Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\SDKIC32.EXE
    Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkbu32.exe
    Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
    Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Nirav Vora\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\GetAccess.class-7fd0ed0-603705e4.class
    Spyware:Spyware/Petro-Line No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C7D6389E-45C3-4653-A7F6-EC16DC\CC72FA8C-CFCB-4325-BC7C-865712
    Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Downloaded Program Files\inst2.inf
    Virus:Trj/Downloader.DMC Disinfected C:\WINDOWS\msfo.exe
    Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.old


    From Hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 8:52:45 PM, on 8/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ACS.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Documents and Settings\Nirav Vora\Desktop\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\MotorolaDAP.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Toshiba\IVP\swupdate\swupdtmr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\TOSHIBA\IVP\ISM\pinger.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\ipvi32.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Nirav Vora\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ofhtz.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.vanderbilt.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Class - {D800AD07-3198-4760-E8A4-33F3BB42B482} - C:\WINDOWS\appbf.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [SC3300CC] C:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
    O4 - HKLM\..\Run: [USBPNP] C:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
    O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
    O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
    O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
    O4 - HKLM\..\RunOnce: [sdknp.exe] C:\WINDOWS\system32\sdknp.exe
    O4 - HKLM\..\RunOnce: [winwv32.exe] C:\WINDOWS\system32\winwv32.exe
    O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
    O4 - HKLM\..\RunOnce: [ntuw32.exe] C:\WINDOWS\system32\ntuw32.exe
    O4 - HKLM\..\RunOnce: [netsp.exe] C:\WINDOWS\system32\netsp.exe
    O4 - HKLM\..\RunOnce: [netpy32.exe] C:\WINDOWS\netpy32.exe
    O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
    O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
    O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe
    O4 - HKLM\..\RunOnce: [ippe32.exe] C:\WINDOWS\ippe32.exe
    O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
    O4 - HKLM\..\RunOnce: [ietx32.exe] C:\WINDOWS\system32\ietx32.exe
    O4 - HKLM\..\RunOnce: [ntyr.exe] C:\WINDOWS\ntyr.exe
    O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
    O4 - HKLM\..\RunOnce: [addxu.exe] C:\WINDOWS\system32\addxu.exe
    O4 - HKLM\..\RunOnce: [ipbl.exe] C:\WINDOWS\ipbl.exe
    O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
    O4 - HKLM\..\RunOnce: [addnm.exe] C:\WINDOWS\addnm.exe
    O4 - HKLM\..\RunOnce: [apiro.exe] C:\WINDOWS\system32\apiro.exe
    O4 - HKLM\..\RunOnce: [addqb.exe] C:\WINDOWS\addqb.exe
    O4 - HKLM\..\RunOnce: [sysxr.exe] C:\WINDOWS\sysxr.exe
    O4 - HKLM\..\RunOnce: [ipii32.exe] C:\WINDOWS\system32\ipii32.exe
    O4 - HKLM\..\RunOnce: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
    O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\msdq32.exe
    O4 - HKLM\..\RunOnce: [winhv.exe] C:\WINDOWS\system32\winhv.exe
    O4 - HKLM\..\RunOnce: [d3oa32.exe] C:\WINDOWS\d3oa32.exe
    O4 - HKLM\..\RunOnce: [msor.exe] C:\WINDOWS\msor.exe
    O4 - HKLM\..\RunOnce: [ietn32.exe] C:\WINDOWS\ietn32.exe
    O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
    O4 - HKLM\..\RunOnce: [ipng32.exe] C:\WINDOWS\ipng32.exe
    O4 - HKLM\..\RunOnce: [ieis32.exe] C:\WINDOWS\system32\ieis32.exe
    O4 - HKLM\..\RunOnce: [addvw.exe] C:\WINDOWS\system32\addvw.exe
    O4 - HKLM\..\RunOnce: [sysvx32.exe] C:\WINDOWS\system32\sysvx32.exe
    O4 - HKLM\..\RunOnce: [syskt32.exe] C:\WINDOWS\system32\syskt32.exe
    O4 - HKLM\..\RunOnce: [sdkpq32.exe] C:\WINDOWS\system32\sdkpq32.exe
    O4 - HKLM\..\RunOnce: [winkb32.exe] C:\WINDOWS\winkb32.exe
    O4 - HKLM\..\RunOnce: [atlog.exe] C:\WINDOWS\atlog.exe
    O4 - HKLM\..\RunOnce: [addxg32.exe] C:\WINDOWS\addxg32.exe
    O4 - HKLM\..\RunOnce: [addmd32.exe] C:\WINDOWS\addmd32.exe
    O4 - HKLM\..\RunOnce: [crqz.exe] C:\WINDOWS\crqz.exe
    O4 - HKLM\..\RunOnce: [ntul.exe] C:\WINDOWS\system32\ntul.exe
    O4 - HKLM\..\RunOnce: [mska32.exe] C:\WINDOWS\mska32.exe
    O4 - HKLM\..\RunOnce: [addai32.exe] C:\WINDOWS\system32\addai32.exe
    O4 - HKLM\..\RunOnce: [appzk32.exe] C:\WINDOWS\system32\appzk32.exe
    O4 - HKLM\..\RunOnce: [ntsh32.exe] C:\WINDOWS\ntsh32.exe
    O4 - HKLM\..\RunOnce: [d3ab.exe] C:\WINDOWS\d3ab.exe
    O4 - HKLM\..\RunOnce: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
    O4 - HKLM\..\RunOnce: [d3kc.exe] C:\WINDOWS\system32\d3kc.exe
    O4 - HKLM\..\RunOnce: [d3zx32.exe] C:\WINDOWS\d3zx32.exe
    O4 - HKLM\..\RunOnce: [netmr.exe] C:\WINDOWS\netmr.exe
    O4 - HKLM\..\RunOnce: [d3bg32.exe] C:\WINDOWS\system32\d3bg32.exe
    O4 - HKLM\..\RunOnce: [iphj.exe] C:\WINDOWS\iphj.exe
    O4 - HKLM\..\RunOnce: [ipmi.exe] C:\WINDOWS\system32\ipmi.exe
    O4 - HKLM\..\RunOnce: [msfe32.exe] C:\WINDOWS\msfe32.exe
    O4 - HKLM\..\RunOnce: [apiqr32.exe] C:\WINDOWS\apiqr32.exe
    O4 - HKLM\..\RunOnce: [sdkic32.exe] C:\WINDOWS\system32\sdkic32.exe
    O4 - HKLM\..\RunOnce: [netnk.exe] C:\WINDOWS\netnk.exe
    O4 - HKLM\..\RunOnce: [addam32.exe] C:\WINDOWS\addam32.exe
    O4 - HKLM\..\RunOnce: [atlcz.exe] C:\WINDOWS\atlcz.exe
    O4 - HKLM\..\RunOnce: [iept32.exe] C:\WINDOWS\system32\iept32.exe
    O4 - HKLM\..\RunOnce: [mswq32.exe] C:\WINDOWS\mswq32.exe
    O4 - HKLM\..\RunOnce: [ntjs.exe] C:\WINDOWS\ntjs.exe
    O4 - HKLM\..\RunOnce: [ntph32.exe] C:\WINDOWS\system32\ntph32.exe
    O4 - HKLM\..\RunOnce: [atluj.exe] C:\WINDOWS\system32\atluj.exe
    O4 - HKLM\..\RunOnce: [javadp.exe] C:\WINDOWS\system32\javadp.exe
    O4 - HKLM\..\RunOnce: [apijj32.exe] C:\WINDOWS\system32\apijj32.exe
    O4 - HKLM\..\RunOnce: [ntrd.exe] C:\WINDOWS\ntrd.exe
    O4 - HKLM\..\RunOnce: [mslj.exe] C:\WINDOWS\system32\mslj.exe
    O4 - HKLM\..\RunOnce: [ieqc32.exe] C:\WINDOWS\ieqc32.exe
    O4 - HKLM\..\RunOnce: [ntve.exe] C:\WINDOWS\ntve.exe
    O4 - HKLM\..\RunOnce: [mfcou32.exe] C:\WINDOWS\system32\mfcou32.exe
    O4 - HKLM\..\RunOnce: [ieup.exe] C:\WINDOWS\system32\ieup.exe
    O4 - HKLM\..\RunOnce: [netdv32.exe] C:\WINDOWS\system32\netdv32.exe
    O4 - HKLM\..\RunOnce: [cril32.exe] C:\WINDOWS\system32\cril32.exe
    O4 - HKLM\..\RunOnce: [ntyf.exe] C:\WINDOWS\ntyf.exe
    O4 - HKLM\..\RunOnce: [atlbg.exe] C:\WINDOWS\atlbg.exe
    O4 - HKLM\..\RunOnce: [apiao.exe] C:\WINDOWS\system32\apiao.exe
    O4 - HKLM\..\RunOnce: [atlex.exe] C:\WINDOWS\system32\atlex.exe
    O4 - HKLM\..\RunOnce: [sdkpm32.exe] C:\WINDOWS\sdkpm32.exe
    O4 - HKLM\..\RunOnce: [sysdl.exe] C:\WINDOWS\sysdl.exe
    O4 - HKLM\..\RunOnce: [ieym.exe] C:\WINDOWS\system32\ieym.exe
    O4 - HKLM\..\RunOnce: [atlla32.exe] C:\WINDOWS\system32\atlla32.exe
    O4 - HKLM\..\RunOnce: [ntew.exe] C:\WINDOWS\ntew.exe
    O4 - HKLM\..\RunOnce: [ntwz32.exe] C:\WINDOWS\ntwz32.exe
    O4 - HKLM\..\RunOnce: [atljt.exe] C:\WINDOWS\atljt.exe
    O4 - HKLM\..\RunOnce: [addcd32.exe] C:\WINDOWS\addcd32.exe
    O4 - HKLM\..\RunOnce: [netuz.exe] C:\WINDOWS\system32\netuz.exe
    O4 - HKLM\..\RunOnce: [crzh32.exe] C:\WINDOWS\system32\crzh32.exe
    O4 - HKLM\..\RunOnce: [addsd.exe] C:\WINDOWS\addsd.exe
    O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\javajl32.exe
    O4 - HKLM\..\RunOnce: [sdksj.exe] C:\WINDOWS\system32\sdksj.exe
    O4 - HKLM\..\RunOnce: [mslk32.exe] C:\WINDOWS\mslk32.exe
    O4 - HKLM\..\RunOnce: [d3jb32.exe] C:\WINDOWS\system32\d3jb32.exe
    O4 - HKLM\..\RunOnce: [javaem.exe] C:\WINDOWS\javaem.exe
    O4 - HKLM\..\RunOnce: [apijh32.exe] C:\WINDOWS\apijh32.exe
    O4 - HKLM\..\RunOnce: [appwo.exe] C:\WINDOWS\appwo.exe
    O4 - HKLM\..\RunOnce: [iphl.exe] C:\WINDOWS\system32\iphl.exe
    O4 - HKLM\..\RunOnce: [ntaw32.exe] C:\WINDOWS\system32\ntaw32.exe
    O4 - HKLM\..\RunOnce: [atlfy.exe] C:\WINDOWS\atlfy.exe
    O4 - HKLM\..\RunOnce: [atlxi32.exe] C:\WINDOWS\atlxi32.exe
    O4 - HKLM\..\RunOnce: [d3gu32.exe] C:\WINDOWS\system32\d3gu32.exe
    O4 - HKLM\..\RunOnce: [iplw.exe] C:\WINDOWS\system32\iplw.exe
    O4 - HKLM\..\RunOnce: [netzn32.exe] C:\WINDOWS\system32\netzn32.exe
    O4 - HKLM\..\RunOnce: [addfp.exe] C:\WINDOWS\system32\addfp.exe
    O4 - HKLM\..\RunOnce: [ntnx.exe] C:\WINDOWS\system32\ntnx.exe
    O4 - HKLM\..\RunOnce: [appts32.exe] C:\WINDOWS\system32\appts32.exe
    O4 - HKLM\..\RunOnce: [ierh.exe] C:\WINDOWS\ierh.exe
    O4 - HKLM\..\RunOnce: [sdkwb32.exe] C:\WINDOWS\sdkwb32.exe
    O4 - HKLM\..\RunOnce: [appbi.exe] C:\WINDOWS\appbi.exe
    O4 - HKLM\..\RunOnce: [mshc32.exe] C:\WINDOWS\mshc32.exe
    O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\atlvr.exe
    O4 - HKLM\..\RunOnce: [sdkfz.exe] C:\WINDOWS\system32\sdkfz.exe
    O4 - HKLM\..\RunOnce: [atleh32.exe] C:\WINDOWS\system32\atleh32.exe
    O4 - HKLM\..\RunOnce: [appnf32.exe] C:\WINDOWS\appnf32.exe
    O4 - HKLM\..\RunOnce: [sysxg.exe] C:\WINDOWS\system32\sysxg.exe
    O4 - HKLM\..\RunOnce: [wincc32.exe] C:\WINDOWS\wincc32.exe
    O4 - HKLM\..\RunOnce: [ipmj.exe] C:\WINDOWS\ipmj.exe
    O4 - HKLM\..\RunOnce: [msby32.exe] C:\WINDOWS\system32\msby32.exe
    O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\system32\winrf.exe
    O4 - HKLM\..\RunOnce: [mfcvj32.exe] C:\WINDOWS\system32\mfcvj32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mscz.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Nirav Vora\Desktop\security suite\ewidoctrl.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
    O23 - Service: Motorola Digital Audio Player Manager (MotorolaDAP) - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm sorry it took me so long to reply, but I had a very long hard day at work. I need you to rescan with Hijack This and post a new log.

    After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.

    I will be online tonight until around midnight. If you can't get it posted tonight in the next two hours, you may as well wait and post it tomorrow evening after 6pm Eastern time. I will not be back online until then.
     
  6. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    I am attaching the Hijackthis log file with this message. Thank you in anticipation.
    nv13
     

    Attached Files:

  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    ** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


    * Click here to download cwsserviceremove.zip and unzip it to your desktop.



    *Download Cleanup from Here
    If that link is down, you can get Cleanup Here.
    • Save the Cleanup40 file to your desktop.
    • On your desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree"
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK
    • DO NOT RUN IT YET



    * I am attaching a delete.zip file to this post. Download the file and unzip it to extract the delete.bat file it contains and have it ready to run later in safe mode.



    * Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Do Not run it yet.



    * Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.



    * Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"



    * Click here for info on how to boot to safe mode if you don't already know how.



    **After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.



    * Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Network Security Service (NSS).
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    ** Restart your computer into safe mode now. Perform the following steps in safe mode:



    * Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



    * Run Hijack This and put a check by all of the following entries:



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgxse.dll/sp.html#44768

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {40F96ECF-F256-A2FB-6BF0-5B6FD5678995} - C:\WINDOWS\system32\apigh.dll

    O2 - BHO: Class - {7ABEDA97-ADE8-D564-C19A-4D6D0E15F0CE} - C:\WINDOWS\sdkdr.dll

    O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll (file missing)

    O2 - BHO: Class - {F9538E86-36EE-4A7E-6596-B6F8EAA229D9} - C:\WINDOWS\system32\mssk32.dll

    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

    O4 - HKLM\..\Run: [ipvi32.exe] C:\WINDOWS\ipvi32.exe
    O4 - HKLM\..\RunOnce: [mscz.exe] C:\WINDOWS\system32\mscz.exe
    O4 - HKLM\..\RunOnce: [atlsr.exe] C:\WINDOWS\atlsr.exe
    O4 - HKLM\..\RunOnce: [javacy32.exe] C:\WINDOWS\javacy32.exe
    O4 - HKLM\..\RunOnce: [d3cv.exe] C:\WINDOWS\d3cv.exe
    O4 - HKLM\..\RunOnce: [appzt32.exe] C:\WINDOWS\system32\appzt32.exe
    O4 - HKLM\..\RunOnce: [crdw32.exe] C:\WINDOWS\system32\crdw32.exe
    O4 - HKLM\..\RunOnce: [appgf32.exe] C:\WINDOWS\system32\appgf32.exe
    O4 - HKLM\..\RunOnce: [sysxr.exe] C:\WINDOWS\sysxr.exe
    O4 - HKLM\..\RunOnce: [sysqz32.exe] C:\WINDOWS\sysqz32.exe
    O4 - HKLM\..\RunOnce: [winhv.exe] C:\WINDOWS\system32\winhv.exe
    O4 - HKLM\..\RunOnce: [msic32.exe] C:\WINDOWS\msic32.exe
    O4 - HKLM\..\RunOnce: [syskt32.exe] C:\WINDOWS\system32\syskt32.exe
    O4 - HKLM\..\RunOnce: [addxg32.exe] C:\WINDOWS\addxg32.exe
    O4 - HKLM\..\RunOnce: [d3qe.exe] C:\WINDOWS\system32\d3qe.exe
    O4 - HKLM\..\RunOnce: [addyv32.exe] C:\WINDOWS\system32\addyv32.exe
    O4 - HKLM\..\RunOnce: [wingw.exe] C:\WINDOWS\system32\wingw.exe
    O4 - HKLM\..\RunOnce: [sdkoc.exe] C:\WINDOWS\sdkoc.exe
    O4 - HKLM\..\RunOnce: [addjl.exe] C:\WINDOWS\system32\addjl.exe
    O4 - HKLM\..\RunOnce: [crof32.exe] C:\WINDOWS\system32\crof32.exe
    O4 - HKLM\..\RunOnce: [syshe32.exe] C:\WINDOWS\system32\syshe32.exe
    O4 - HKLM\..\RunOnce: [mfcaa32.exe] C:\WINDOWS\system32\mfcaa32.exe
    O4 - HKLM\..\RunOnce: [apixz32.exe] C:\WINDOWS\apixz32.exe
    O4 - HKLM\..\RunOnce: [ielu32.exe] C:\WINDOWS\system32\ielu32.exe
    O4 - HKLM\..\RunOnce: [sdkyw.exe] C:\WINDOWS\system32\sdkyw.exe
    O4 - HKLM\..\RunOnce: [d3jp32.exe] C:\WINDOWS\system32\d3jp32.exe
    O4 - HKLM\..\RunOnce: [ntwz.exe] C:\WINDOWS\system32\ntwz.exe
    O4 - HKLM\..\RunOnce: [crhy.exe] C:\WINDOWS\system32\crhy.exe
    O4 - HKLM\..\RunOnce: [ieod32.exe] C:\WINDOWS\ieod32.exe
    O4 - HKLM\..\RunOnce: [ntlh32.exe] C:\WINDOWS\ntlh32.exe
    O4 - HKLM\..\RunOnce: [msyr32.exe] C:\WINDOWS\msyr32.exe
    O4 - HKLM\..\RunOnce: [ntdu32.exe] C:\WINDOWS\system32\ntdu32.exe
    O4 - HKLM\..\RunOnce: [iegd.exe] C:\WINDOWS\iegd.exe
    O4 - HKLM\..\RunOnce: [sysma.exe] C:\WINDOWS\system32\sysma.exe
    O4 - HKLM\..\RunOnce: [creb32.exe] C:\WINDOWS\system32\creb32.exe
    O4 - HKLM\..\RunOnce: [crnj.exe] C:\WINDOWS\crnj.exe
    O4 - HKLM\..\RunOnce: [wincg32.exe] C:\WINDOWS\system32\wincg32.exe
    O4 - HKLM\..\RunOnce: [mfctn.exe] C:\WINDOWS\system32\mfctn.exe
    O4 - HKLM\..\RunOnce: [crcu.exe] C:\WINDOWS\system32\crcu.exe
    O4 - HKLM\..\RunOnce: [atlqq32.exe] C:\WINDOWS\system32\atlqq32.exe
    O4 - HKLM\..\RunOnce: [netgy.exe] C:\WINDOWS\system32\netgy.exe
    O4 - HKLM\..\RunOnce: [ievd32.exe] C:\WINDOWS\system32\ievd32.exe
    O4 - HKLM\..\RunOnce: [mssy.exe] C:\WINDOWS\mssy.exe
    O4 - HKLM\..\RunOnce: [sysxc.exe] C:\WINDOWS\system32\sysxc.exe
    O4 - HKLM\..\RunOnce: [winlz32.exe] C:\WINDOWS\winlz32.exe
    O4 - HKLM\..\RunOnce: [javaws32.exe] C:\WINDOWS\javaws32.exe
    O4 - HKLM\..\RunOnce: [atlei.exe] C:\WINDOWS\system32\atlei.exe
    O4 - HKLM\..\RunOnce: [mfchh32.exe] C:\WINDOWS\mfchh32.exe
    O4 - HKLM\..\RunOnce: [ntsg32.exe] C:\WINDOWS\ntsg32.exe
    O4 - HKLM\..\RunOnce: [mfcqv32.exe] C:\WINDOWS\system32\mfcqv32.exe
    O4 - HKLM\..\RunOnce: [ieju32.exe] C:\WINDOWS\ieju32.exe
    O4 - HKLM\..\RunOnce: [netyz.exe] C:\WINDOWS\netyz.exe
    O4 - HKLM\..\RunOnce: [winsq32.exe] C:\WINDOWS\winsq32.exe
    O4 - HKLM\..\RunOnce: [sdkuq.exe] C:\WINDOWS\sdkuq.exe
    O4 - HKLM\..\RunOnce: [d3iq.exe] C:\WINDOWS\system32\d3iq.exe
    O4 - HKLM\..\RunOnce: [javaae32.exe] C:\WINDOWS\system32\javaae32.exe
    O4 - HKLM\..\RunOnce: [atluv.exe] C:\WINDOWS\system32\atluv.exe
    O4 - HKLM\..\RunOnce: [apiuj.exe] C:\WINDOWS\apiuj.exe
    O4 - HKLM\..\RunOnce: [mfcdj.exe] C:\WINDOWS\system32\mfcdj.exe
    O4 - HKLM\..\RunOnce: [mfcxb.exe] C:\WINDOWS\mfcxb.exe
    O4 - HKLM\..\RunOnce: [crgb.exe] C:\WINDOWS\crgb.exe
    O4 - HKLM\..\RunOnce: [javatv32.exe] C:\WINDOWS\system32\javatv32.exe
    O4 - HKLM\..\RunOnce: [javavy.exe] C:\WINDOWS\javavy.exe
    O4 - HKLM\..\RunOnce: [apiaa32.exe] C:\WINDOWS\apiaa32.exe
    O4 - HKLM\..\RunOnce: [sysus.exe] C:\WINDOWS\sysus.exe
    O4 - HKLM\..\RunOnce: [sdkhu32.exe] C:\WINDOWS\sdkhu32.exe
    O4 - HKLM\..\RunOnce: [iejm32.exe] C:\WINDOWS\system32\iejm32.exe
    O4 - HKLM\..\RunOnce: [sdkwo32.exe] C:\WINDOWS\system32\sdkwo32.exe
    O4 - HKLM\..\RunOnce: [d3hn.exe] C:\WINDOWS\system32\d3hn.exe
    O4 - HKLM\..\RunOnce: [javaxu.exe] C:\WINDOWS\system32\javaxu.exe
    O4 - HKLM\..\RunOnce: [apipn32.exe] C:\WINDOWS\apipn32.exe
    O4 - HKLM\..\RunOnce: [ntup.exe] C:\WINDOWS\system32\ntup.exe
    O4 - HKLM\..\RunOnce: [mfcyb.exe] C:\WINDOWS\system32\mfcyb.exe
    O4 - HKLM\..\RunOnce: [javaor32.exe] C:\WINDOWS\javaor32.exe
    O4 - HKLM\..\RunOnce: [msbz32.exe] C:\WINDOWS\system32\msbz32.exe
    O4 - HKLM\..\RunOnce: [appro.exe] C:\WINDOWS\system32\appro.exe
    O4 - HKLM\..\RunOnce: [crfl32.exe] C:\WINDOWS\crfl32.exe
    O4 - HKLM\..\RunOnce: [d3ye32.exe] C:\WINDOWS\system32\d3ye32.exe
    O4 - HKLM\..\RunOnce: [ntpr32.exe] C:\WINDOWS\ntpr32.exe
    O4 - HKLM\..\RunOnce: [atlun32.exe] C:\WINDOWS\atlun32.exe
    O4 - HKLM\..\RunOnce: [addsi32.exe] C:\WINDOWS\addsi32.exe
    O4 - HKLM\..\RunOnce: [mfciq.exe] C:\WINDOWS\mfciq.exe
    O4 - HKLM\..\RunOnce: [winhd.exe] C:\WINDOWS\system32\winhd.exe
    O4 - HKLM\..\RunOnce: [mfclh.exe] C:\WINDOWS\mfclh.exe
    O4 - HKLM\..\RunOnce: [ntvi32.exe] C:\WINDOWS\system32\ntvi32.exe
    O4 - HKLM\..\RunOnce: [atloz32.exe] C:\WINDOWS\atloz32.exe
    O4 - HKLM\..\RunOnce: [atlvw32.exe] C:\WINDOWS\system32\atlvw32.exe
    O4 - HKLM\..\RunOnce: [apicb.exe] C:\WINDOWS\apicb.exe
    O4 - HKLM\..\RunOnce: [apprq.exe] C:\WINDOWS\apprq.exe
    O4 - HKLM\..\RunOnce: [mscj32.exe] C:\WINDOWS\system32\mscj32.exe
    O4 - HKLM\..\RunOnce: [sysnu.exe] C:\WINDOWS\sysnu.exe
    O4 - HKLM\..\RunOnce: [crmi.exe] C:\WINDOWS\system32\crmi.exe
    O4 - HKLM\..\RunOnce: [sysqm.exe] C:\WINDOWS\system32\sysqm.exe
    O4 - HKLM\..\RunOnce: [atlan32.exe] C:\WINDOWS\system32\atlan32.exe
    O4 - HKLM\..\RunOnce: [ietd32.exe] C:\WINDOWS\ietd32.exe
    O4 - HKLM\..\RunOnce: [msia32.exe] C:\WINDOWS\system32\msia32.exe
    O4 - HKLM\..\RunOnce: [ntnw32.exe] C:\WINDOWS\system32\ntnw32.exe
    O4 - HKLM\..\RunOnce: [ieii.exe] C:\WINDOWS\system32\ieii.exe
    O4 - HKLM\..\RunOnce: [atlgd32.exe] C:\WINDOWS\atlgd32.exe
    O4 - HKLM\..\RunOnce: [mfcgl32.exe] C:\WINDOWS\mfcgl32.exe
    O4 - HKLM\..\RunOnce: [ntqm32.exe] C:\WINDOWS\system32\ntqm32.exe
    O4 - HKLM\..\RunOnce: [addqu.exe] C:\WINDOWS\addqu.exe
    O4 - HKLM\..\RunOnce: [ieuy.exe] C:\WINDOWS\system32\ieuy.exe
    O4 - HKLM\..\RunOnce: [iphd.exe] C:\WINDOWS\iphd.exe
    O4 - HKLM\..\RunOnce: [atlgi.exe] C:\WINDOWS\system32\atlgi.exe
    O4 - HKLM\..\RunOnce: [ntjo32.exe] C:\WINDOWS\system32\ntjo32.exe
    O4 - HKLM\..\RunOnce: [appch32.exe] C:\WINDOWS\system32\appch32.exe
    O4 - HKLM\..\RunOnce: [netgj32.exe] C:\WINDOWS\system32\netgj32.exe
    O4 - HKLM\..\RunOnce: [apiip32.exe] C:\WINDOWS\apiip32.exe
    O4 - HKLM\..\RunOnce: [appzq.exe] C:\WINDOWS\appzq.exe
    O4 - HKLM\..\RunOnce: [atlfn32.exe] C:\WINDOWS\atlfn32.exe
    O4 - HKLM\..\RunOnce: [apptj32.exe] C:\WINDOWS\system32\apptj32.exe
    O4 - HKLM\..\RunOnce: [mfctp.exe] C:\WINDOWS\mfctp.exe
    O4 - HKLM\..\RunOnce: [appie.exe] C:\WINDOWS\appie.exe
    O4 - HKLM\..\RunOnce: [iemi.exe] C:\WINDOWS\iemi.exe
    O4 - HKLM\..\RunOnce: [appim32.exe] C:\WINDOWS\appim32.exe
    O4 - HKLM\..\RunOnce: [crrq.exe] C:\WINDOWS\system32\crrq.exe
    O4 - HKLM\..\RunOnce: [sysvu32.exe] C:\WINDOWS\system32\sysvu32.exe
    O4 - HKLM\..\RunOnce: [msfv.exe] C:\WINDOWS\system32\msfv.exe
    O4 - HKLM\..\RunOnce: [mskr32.exe] C:\WINDOWS\system32\mskr32.exe
    O4 - HKLM\..\RunOnce: [mszo32.exe] C:\WINDOWS\mszo32.exe
    O4 - HKLM\..\RunOnce: [sysyu.exe] C:\WINDOWS\system32\sysyu.exe
    O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\d3oj.exe
    O4 - HKLM\..\RunOnce: [ipyc.exe] C:\WINDOWS\ipyc.exe
    O4 - HKLM\..\RunOnce: [javame.exe] C:\WINDOWS\javame.exe
    O4 - HKLM\..\RunOnce: [ipfi.exe] C:\WINDOWS\ipfi.exe
    O4 - HKLM\..\RunOnce: [iezu.exe] C:\WINDOWS\system32\iezu.exe
    O4 - HKLM\..\RunOnce: [atljk32.exe] C:\WINDOWS\atljk32.exe
    O4 - HKLM\..\RunOnce: [javaew.exe] C:\WINDOWS\system32\javaew.exe
    O4 - HKLM\..\RunOnce: [netii32.exe] C:\WINDOWS\netii32.exe
    O4 - HKLM\..\RunOnce: [appgy.exe] C:\WINDOWS\system32\appgy.exe
    O4 - HKLM\..\RunOnce: [iplh.exe] C:\WINDOWS\iplh.exe
    O4 - HKLM\..\RunOnce: [creg.exe] C:\WINDOWS\system32\creg.exe
    O4 - HKLM\..\RunOnce: [apphq.exe] C:\WINDOWS\system32\apphq.exe
    O4 - HKLM\..\RunOnce: [addmj32.exe] C:\WINDOWS\system32\addmj32.exe
    O4 - HKLM\..\RunOnce: [sdkuj.exe] C:\WINDOWS\sdkuj.exe
    O4 - HKLM\..\RunOnce: [adddp32.exe] C:\WINDOWS\adddp32.exe
    O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\system32\ienw32.exe
    O4 - HKLM\..\RunOnce: [javald.exe] C:\WINDOWS\javald.exe
    O4 - HKLM\..\RunOnce: [mfckt32.exe] C:\WINDOWS\mfckt32.exe
    O4 - HKLM\..\RunOnce: [crky.exe] C:\WINDOWS\system32\crky.exe
    O4 - HKLM\..\RunOnce: [addhn32.exe] C:\WINDOWS\addhn32.exe
    O4 - HKLM\..\RunOnce: [d3sd32.exe] C:\WINDOWS\system32\d3sd32.exe
    O4 - HKLM\..\RunOnce: [d3ga32.exe] C:\WINDOWS\d3ga32.exe
    O4 - HKLM\..\RunOnce: [netlx32.exe] C:\WINDOWS\system32\netlx32.exe
    O4 - HKLM\..\RunOnce: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
    O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
    O4 - HKLM\..\RunOnce: [addoz32.exe] C:\WINDOWS\addoz32.exe
    O4 - HKLM\..\RunOnce: [apieh.exe] C:\WINDOWS\apieh.exe
    O4 - HKLM\..\RunOnce: [netsl.exe] C:\WINDOWS\netsl.exe
    O4 - HKLM\..\RunOnce: [ipxi32.exe] C:\WINDOWS\ipxi32.exe
    O4 - HKLM\..\RunOnce: [netmf32.exe] C:\WINDOWS\netmf32.exe
    O4 - HKLM\..\RunOnce: [sdklk.exe] C:\WINDOWS\system32\sdklk.exe
    O4 - HKLM\..\RunOnce: [netba.exe] C:\WINDOWS\system32\netba.exe
    O4 - HKLM\..\RunOnce: [addts.exe] C:\WINDOWS\system32\addts.exe
    O4 - HKLM\..\RunOnce: [d3el32.exe] C:\WINDOWS\d3el32.exe
    O4 - HKLM\..\RunOnce: [iepe32.exe] C:\WINDOWS\system32\iepe32.exe
    O4 - HKLM\..\RunOnce: [ntub32.exe] C:\WINDOWS\system32\ntub32.exe
    O4 - HKLM\..\RunOnce: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
    O4 - HKLM\..\RunOnce: [crty32.exe] C:\WINDOWS\crty32.exe
    O4 - HKLM\..\RunOnce: [iprg.exe] C:\WINDOWS\system32\iprg.exe
    O4 - HKLM\..\RunOnce: [apivp32.exe] C:\WINDOWS\apivp32.exe
    O4 - HKLM\..\RunOnce: [atlqt.exe] C:\WINDOWS\atlqt.exe
    O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe
    O4 - HKLM\..\RunOnce: [javafy32.exe] C:\WINDOWS\system32\javafy32.exe
    O4 - HKLM\..\RunOnce: [javang.exe] C:\WINDOWS\system32\javang.exe
    O4 - HKLM\..\RunOnce: [addiy32.exe] C:\WINDOWS\addiy32.exe
    O4 - HKLM\..\RunOnce: [appqg.exe] C:\WINDOWS\appqg.exe
    O4 - HKLM\..\RunOnce: [winrg.exe] C:\WINDOWS\system32\winrg.exe
    O4 - HKLM\..\RunOnce: [netov32.exe] C:\WINDOWS\netov32.exe
    O4 - HKLM\..\RunOnce: [javaed32.exe] C:\WINDOWS\javaed32.exe
    O4 - HKLM\..\RunOnce: [ipap.exe] C:\WINDOWS\ipap.exe
    O4 - HKLM\..\RunOnce: [appze32.exe] C:\WINDOWS\appze32.exe
    O4 - HKLM\..\RunOnce: [msfc.exe] C:\WINDOWS\msfc.exe
    O4 - HKLM\..\RunOnce: [atlvr.exe] C:\WINDOWS\system32\atlvr.exe
    O4 - HKLM\..\RunOnce: [winkg.exe] C:\WINDOWS\system32\winkg.exe
    O4 - HKLM\..\RunOnce: [d3vz32.exe] C:\WINDOWS\d3vz32.exe
    O4 - HKLM\..\RunOnce: [apijc32.exe] C:\WINDOWS\system32\apijc32.exe
    O4 - HKLM\..\RunOnce: [sysdt.exe] C:\WINDOWS\system32\sysdt.exe
    O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\system32\netxe32.exe
    O4 - HKLM\..\RunOnce: [javanm32.exe] C:\WINDOWS\system32\javanm32.exe
    O4 - HKLM\..\RunOnce: [ntip.exe] C:\WINDOWS\ntip.exe
    O4 - HKLM\..\RunOnce: [apphf32.exe] C:\WINDOWS\apphf32.exe
    O4 - HKLM\..\RunOnce: [iefu.exe] C:\WINDOWS\system32\iefu.exe
    O4 - HKLM\..\RunOnce: [sdkek32.exe] C:\WINDOWS\system32\sdkek32.exe
    O4 - HKLM\..\RunOnce: [apiva32.exe] C:\WINDOWS\apiva32.exe
    O4 - HKLM\..\RunOnce: [netci32.exe] C:\WINDOWS\system32\netci32.exe
    O4 - HKLM\..\RunOnce: [d3gr32.exe] C:\WINDOWS\system32\d3gr32.exe
    O4 - HKLM\..\RunOnce: [msgh.exe] C:\WINDOWS\system32\msgh.exe
    O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\d3hi.exe
    O4 - HKLM\..\RunOnce: [addex32.exe] C:\WINDOWS\system32\addex32.exe
    O4 - HKLM\..\RunOnce: [apiue32.exe] C:\WINDOWS\system32\apiue32.exe
    O4 - HKLM\..\RunOnce: [atlpi.exe] C:\WINDOWS\system32\atlpi.exe
    O4 - HKLM\..\RunOnce: [msoy32.exe] C:\WINDOWS\system32\msoy32.exe
    O4 - HKLM\..\RunOnce: [sdkcg.exe] C:\WINDOWS\system32\sdkcg.exe
    O4 - HKLM\..\RunOnce: [netgs.exe] C:\WINDOWS\system32\netgs.exe
    O4 - HKLM\..\RunOnce: [crvh32.exe] C:\WINDOWS\crvh32.exe
    O4 - HKLM\..\RunOnce: [syslo.exe] C:\WINDOWS\syslo.exe
    O4 - HKLM\..\RunOnce: [atlps32.exe] C:\WINDOWS\atlps32.exe
    O4 - HKLM\..\RunOnce: [ntuc32.exe] C:\WINDOWS\system32\ntuc32.exe
    O4 - HKLM\..\RunOnce: [mfcss32.exe] C:\WINDOWS\mfcss32.exe
    O4 - HKLM\..\RunOnce: [apisi.exe] C:\WINDOWS\system32\apisi.exe
    O4 - HKLM\..\RunOnce: [atlai.exe] C:\WINDOWS\atlai.exe
    O4 - HKLM\..\RunOnce: [crvt.exe] C:\WINDOWS\system32\crvt.exe
    O4 - HKLM\..\RunOnce: [sdkjd32.exe] C:\WINDOWS\sdkjd32.exe
    O4 - HKLM\..\RunOnce: [crcw32.exe] C:\WINDOWS\system32\crcw32.exe
    O4 - HKLM\..\RunOnce: [apihs32.exe] C:\WINDOWS\system32\apihs32.exe
    O4 - HKLM\..\RunOnce: [crce.exe] C:\WINDOWS\crce.exe
    O4 - HKLM\..\RunOnce: [ntgq.exe] C:\WINDOWS\ntgq.exe
    O4 - HKLM\..\RunOnce: [ievf32.exe] C:\WINDOWS\system32\ievf32.exe
    O4 - HKLM\..\RunOnce: [sdkow32.exe] C:\WINDOWS\sdkow32.exe
    O4 - HKLM\..\RunOnce: [ntdt32.exe] C:\WINDOWS\system32\ntdt32.exe
    O4 - HKLM\..\RunOnce: [atlip32.exe] C:\WINDOWS\system32\atlip32.exe
    O4 - HKLM\..\RunOnce: [sdkdb32.exe] C:\WINDOWS\system32\sdkdb32.exe
    O4 - HKLM\..\RunOnce: [d3hf32.exe] C:\WINDOWS\d3hf32.exe
    O4 - HKLM\..\RunOnce: [d3kw32.exe] C:\WINDOWS\system32\d3kw32.exe
    O4 - HKLM\..\RunOnce: [winae.exe] C:\WINDOWS\system32\winae.exe
    O4 - HKLM\..\RunOnce: [mfcei32.exe] C:\WINDOWS\mfcei32.exe
    O4 - HKLM\..\RunOnce: [apizh.exe] C:\WINDOWS\system32\apizh.exe
    O4 - HKLM\..\RunOnce: [winyx32.exe] C:\WINDOWS\system32\winyx32.exe
    O4 - HKLM\..\RunOnce: [atlrv.exe] C:\WINDOWS\system32\atlrv.exe
    O4 - HKLM\..\RunOnce: [crlh.exe] C:\WINDOWS\system32\crlh.exe
    O4 - HKLM\..\RunOnce: [ntaw.exe] C:\WINDOWS\system32\ntaw.exe
    O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\mfclp.exe
    O4 - HKLM\..\RunOnce: [sysvi32.exe] C:\WINDOWS\system32\sysvi32.exe
    O4 - HKLM\..\RunOnce: [winpt32.exe] C:\WINDOWS\system32\winpt32.exe
    O4 - HKLM\..\RunOnce: [crup32.exe] C:\WINDOWS\crup32.exe
    O4 - HKLM\..\RunOnce: [addpb.exe] C:\WINDOWS\system32\addpb.exe
    O4 - HKLM\..\RunOnce: [iesn32.exe] C:\WINDOWS\system32\iesn32.exe
    O4 - HKLM\..\RunOnce: [javarc.exe] C:\WINDOWS\javarc.exe

    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)



    After you have checked all of those, click the "Fix Checked" button.

    Exit Hijack This.



    * Double-click on the delete.bat file to run it. Let it run and it will delete the bad files.


    * Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



    * Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.



    * Run Cleanup:
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program.



    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.



    ** Restart back into Windows normally now and do the following:



    * Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.



    * If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)



    * Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.



    * control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.



    * IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan
     

    Attached Files:

  8. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    I did as you advised me to. As a result the startup procedure is faster now and also IE does not open by itself initially. But I still get the message from Trend Micro saying that "TROJ_STARTPAG.RE" is quarantined, whenever I open IE. I am attaching both the Hijackthis and Active Scan log files. Thank you again for your help.

    nv13
     

    Attached Files:

  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    We need to go through basically the same procedure again. I just got in from work and will be online the rest of the evening til at least 11 pm EDT.

    To make sure nothing has changed since the log you posted, please go ahead and rescan with Hijack This and post a new log. We can get this thing cleaned up this evening if you have time to stick here with me a while. Don't restart your computer or do anything else, just wait for my reply with directions. I will be prompt.
     
  10. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    I am posting the new HijackThis Log file. Thanks for doing this.
    nv13
     

    Attached Files:

  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm working on the log now. I'll post directions soon.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    * You don't need to download all the tools you downloaded before again if you still have them all. Make sure you still have them all and redownload any that you have removed.


    ** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.

    • Open MS Anti-Spyware and click on Options > Settings.
    • Click on "Realtime Protection" in the left pane.
    • Remove the check by these:
      • Enable the Microsoft Security Agents on startup (recommended)
      • Enable real-time spyware threat protection (recommended)
    • Click "Save"
    • Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
    • You should re-enable these when we are finished here.


    * I am attaching a delete2.zip file to this post. It contains a delete2.bat file. Unzip delete2.zip to extract the delete2.bat file it contains and have it ready to run in safe mode.


    **After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.



    * Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Remote Procedure Call (RPC) Helper.
    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

    CAUTION: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.


    ** Restart your computer into safe mode now. Perform the following steps in safe mode:



    * Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



    * Run Hijack This and put a check by all of the following entries:

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {39314580-81A5-5B7C-6038-49D3B9341A24} - C:\WINDOWS\appte32.dll

    O2 - BHO: Class - {3D04ED84-CB60-D0D7-5B32-B6E17342655A} - C:\WINDOWS\syswy.dll

    O2 - BHO: Class - {71831756-0ABA-C479-7A7E-D8EC68EDFB00} - C:\WINDOWS\system32\sdkxh32.dll

    O2 - BHO: Class - {7B9F0EE4-BFCC-13BF-7127-EC3A3BA67B92} - C:\WINDOWS\sdkzj32.dll

    O2 - BHO: Class - {AC4257E2-6DD2-AEC4-FFD6-D5E44CC39DBE} - C:\WINDOWS\d3bs.dll

    O2 - BHO: Class - {DF7B4507-13C3-06E8-197B-D732093994CA} - C:\WINDOWS\system32\apptw32.dll

    O2 - BHO: Class - {E6512118-692F-BF80-A97A-75AF1C652A9B} - C:\WINDOWS\atlnl32.dll

    O2 - BHO: Class - {EE427AA2-C3A0-EEBC-C139-0A744C94E673} - C:\WINDOWS\atlcc.dll

    O2 - BHO: Class - {F043FDC8-1BB2-DD9E-F339-A01E4FC8A75E} - C:\WINDOWS\system32\mfcpn32.dll

    O2 - BHO: Class - {FBF430FD-0AC5-CF00-714C-E063038CC69E} - C:\WINDOWS\mfcrw32.dll

    O2 - BHO: Class - {FF8D1970-66C7-0067-E933-2FC85DA5DFA5} - C:\WINDOWS\system32\iesf.dll

    O4 - HKLM\..\Run: [ippd.exe] C:\WINDOWS\ippd.exe

    O4 - HKLM\..\Run: [sdkjs.exe] C:\WINDOWS\system32\sdkjs.exe

    O4 - HKLM\..\RunOnce: [appvm.exe] C:\WINDOWS\system32\appvm.exe

    O4 - HKLM\..\RunOnce: [mszf32.exe] C:\WINDOWS\system32\mszf32.exe

    O4 - HKLM\..\RunOnce: [ipzn.exe] C:\WINDOWS\system32\ipzn.exe

    O4 - HKLM\..\RunOnce: [ipjr32.exe] C:\WINDOWS\system32\ipjr32.exe

    O4 - HKLM\..\RunOnce: [ipdl.exe] C:\WINDOWS\system32\ipdl.exe

    O4 - HKLM\..\RunOnce: [addqf.exe] C:\WINDOWS\system32\addqf.exe

    O4 - HKLM\..\RunOnce: [netnh32.exe] C:\WINDOWS\netnh32.exe

    O4 - HKLM\..\RunOnce: [netzb.exe] C:\WINDOWS\netzb.exe

    O4 - HKLM\..\RunOnce: [sdkyq.exe] C:\WINDOWS\sdkyq.exe

    O4 - HKLM\..\RunOnce: [mfcqk32.exe] C:\WINDOWS\system32\mfcqk32.exe

    O4 - HKLM\..\RunOnce: [sysvm.exe] C:\WINDOWS\sysvm.exe

    O4 - HKLM\..\RunOnce: [netou32.exe] C:\WINDOWS\netou32.exe

    O4 - HKLM\..\RunOnce: [appte32.exe] C:\WINDOWS\appte32.exe

    O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe

    O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\sdkxv32.exe

    O4 - HKLM\..\RunOnce: [ntfw32.exe] C:\WINDOWS\ntfw32.exe

    O4 - HKLM\..\RunOnce: [d3er.exe] C:\WINDOWS\d3er.exe

    O4 - HKLM\..\RunOnce: [winxq.exe] C:\WINDOWS\winxq.exe

    O4 - HKLM\..\RunOnce: [atlbi.exe] C:\WINDOWS\atlbi.exe

    O4 - HKLM\..\RunOnce: [apibo.exe] C:\WINDOWS\system32\apibo.exe

    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)


    After you have checked all of those, click the "Fix Checked" button.

    Exit Hijack This.


    * Double-click on the delete2.bat file to run it. Let it run and it will delete the bad files.


    * Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



    * Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.



    * Run Cleanup:
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program.



    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.



    ** Restart back into Windows normally now and do the following:


    * Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

    When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

    Post a new HiJackThis log along with the report from the Housecall scan
     

    Attached Files:

  13. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    I will work on this right now and let you know.
    Thanks
    nv13
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  15. nv13

    nv13 Thread Starter

    Joined:
    Aug 21, 2005
    Messages:
    25
    flrman1,
    I could not use the online virus scan. The program just stops after the scan starts.
    nv13
     
  16. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go ahead and post a new HJT log please.
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/392342