System32 Folder keeps popping up please help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rotiro3

Thread Starter
Joined
Oct 9, 2004
Messages
10
Hi can someone please help me. On reboot the system32 folder pops up below is my log I have run spybot and adaware thanks

Logfile of HijackThis v1.97.7
Scan saved at 7:48:41 PM, on 10/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\netdl\antivirus\SHSTAT.EXE
C:\Program Files\netdl\Common Framework\UpdaterUI.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\netdl\Common Framework\FrameworkService.exe
C:\Program Files\netdl\antivirus\mcshield.exe
C:\Program Files\netdl\antivirus\vstskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sarsh\Local Settings\Temporary Internet Files\Content.IE5\492N85IF\HijackThis[1].exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AF27EE1-7307-C3B0-8571-9C5262901B4D} - C:\WINDOWS\system32\aupwezel.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)
O2 - BHO: (no name) - {E167B868-97DB-A24A-52ED-BB6ED1060060} - C:\PROGRA~1\LOGOBO~1\settingsref.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\DOCUME~1\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\netdl\antivirus\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\netdl\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKCU\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKCU\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKCU\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKCU\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKCU\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKCU\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKCU\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKCU\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKCU\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()
O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKCU\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {
O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKCU\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0
O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {11113111-1411-1611-8111-111111111413} - mhtml:file://c:\nul.mht!http://www.capital-systems.net//browser.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094729074656
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.3360763889
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Nov 2, 2002
Messages
22,468
While I never discount someone having spyware or Trojan files on their computer, typically if the System32 folder shows on the desktop, there may be an invalid entry in the Registry

1. Start Regedit
2. Go to both:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Double check that the values do not have incorrect, incomplete, or blank entries
 

rotiro3

Thread Starter
Joined
Oct 9, 2004
Messages
10
I have a couple of entries named } then for data it says c:\windows\system32} should I remove them
Below is what I exported thanks.

Last Write Time: 10/9/2004 - 8:24 PM
Value 0
Name: MSMSGS
Type: REG_SZ
Data: "C:\Program Files\Messenger\msmsgs.exe" /background

Value 1
Name: <NO NAME>
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\

Value 2
Name: function setCookie(name, value)
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\function setCookie(name, value) {

Value 3
Name: var expire = new Dat
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\var expire = new Date();

Value 4
Name: var today = new Dat
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\var today = new Date();

Value 5
Name: expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);

Value 6
Name: function getCookie(Name)
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\function getCookie(Name) {

Value 7
Name: offset = document.cookie.indexOf(search)
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\offset = document.cookie.indexOf(search)

Value 8
Name: if (offset != -1) { // if cookie exists
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\if (offset != -1) { // if cookie exists

Value 9
Name: offset += search.leng
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\offset += search.length;

Value 10
Name: // set index of beginning of value
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\// set index of beginning of value

Value 11
Name: // set index of end of cookie value
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\// set index of end of cookie value

Value 12
Name: if (end == -1)
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\if (end == -1)

Value 13
Name: end = document.cookie.length
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\end = document.cookie.length

Value 14
Name: return unescape(document.cookie.substring(offset, end))
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))

Value 15
Name: }
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\}

Value 16
Name: function mhppo
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\function mhppop(){

Value 17
Name: var cookieExist = getCookie(strCookieNa
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);

Value 18
Name: function FormFocu
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\function FormFocus(){

Value 19
Name: document.frmSearch.KeyWords.focu
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();

Value 20
Name: flag
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\flag = 1

Value 21
Name: function exittraff
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\function exittraffic()

Value 22
Name: if ((flag ==
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\if ((flag == 1))

Value 23
Name: mhppop(); //makeusyourhomepage
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop

Value 24
Name: var pos_left = (screen.width / 2) -125; // window horizontally centered, rou
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly

Value 25
Name: var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen

Value 26
Name: window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);

Value 27
Name: Sea
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ Search:

Value 28
Name: s=screen.width;v=navigator.app
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ s=screen.width;v=navigator.appName

Value 29
Name: else {c=screen.pixelDe
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ else {c=screen.pixelDepth}

Value 30
Name: j=navigator.javaEnabl
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ j=navigator.javaEnabled()

Value 31
Name: NS2
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ NS2Ch=0

Value 32
Name: if (NS2Ch ==
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\ if (NS2Ch == 0) {

Value 33
Name: s=screen.width;v=navigator.app
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\s=screen.width;v=navigator.appName

Value 34
Name: else {c=screen.pixelDe
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\else {c=screen.pixelDepth}

Value 35
Name: j=navigator.javaEnabl
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\j=navigator.javaEnabled()

Value 36
Name: NS2
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\NS2Ch=0

Value 37
Name: if (NS2Ch ==
Type: REG_EXPAND_SZ
Data: c:\WINDOWS\System32\if (NS2Ch == 0) {

Value 38
Name: AIM
Type: REG_SZ
Data: C:\Documents and Settings\aim.exe -cnetwait.odl
 
Joined
Jul 26, 2002
Messages
46,331
Hi rotiro3

Welcome to TSG! :)

First please do the following:

First you are using an old version of Hijack This. Get rid of the old one first.

Also I see that you are running HJT from your temporary Internet Files folder. This is a bad idea because it cannot create and restore backups from there. You need to create a new folder in My Documents and name it Hijack This. Now Now Click here to download Hijack This. Download and save the file to the Hijack This folder you just created.


Run the new version of Hijack This and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0AF27EE1-7307-C3B0-8571-9C5262901B4D} - C:\WINDOWS\system32\aupwezel.dll (file missing)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll (file missing)

O2 - BHO: (no name) - {E167B868-97DB-A24A-52ED-BB6ED1060060} - C:\PROGRA~1\LOGOBO~1\settingsref.exe

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [// Browser Detec] c:\WINDOWS\System32\// Browser Detection

O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;

O4 - HKLM\..\Run: [IEmac = ((document.all)&&(isMac)) ? true : fa] c:\WINDOWS\System32\IEmac = ((document.all)&&(isMac)) ? true : false;

O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;

O4 - HKLM\..\Run: [ver4 = (NS4 || IE4plus) ? true : fa] c:\WINDOWS\System32\ver4 = (NS4 || IE4plus) ? true : false;

O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;

O4 - HKLM\..\Run: [IE5plus = IE5 || ] c:\WINDOWS\System32\IE5plus = IE5 || IE6;

O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;

O4 - HKLM\..\Run: [if (IE4p] c:\WINDOWS\System32\if (IE4plus)

O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\WINDOWS\System32\// Body onload utility (supports multiple onload functions)

O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();

O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)

O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe>');

O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></ilayer>');

O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2profit.com/abs_adserve.cfm?campaign_id=15780&noscript=1&rand=[RAND]"></iframe></noscript>

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {

O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();

O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();

O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);

O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {

O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)

O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists

O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;

O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value

O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value

O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)

O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length

O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))

O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}

O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){

O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);

O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){

O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();

O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1

O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()

O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))

O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop

O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly

O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen

O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);

O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:

O4 - HKLM\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName

O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}

O4 - HKLM\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()

O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0

O4 - HKLM\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {

O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName

O4 - HKLM\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}

O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()

O4 - HKLM\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0

O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {

O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();

O4 - HKCU\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();

O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);

O4 - HKCU\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {

O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)

O4 - HKCU\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists

O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;

O4 - HKCU\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value

O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value

O4 - HKCU\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)

O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length

O4 - HKCU\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))

O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}

O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){

O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);

O4 - HKCU\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){

O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();

O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1

O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()

O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))

O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop

O4 - HKCU\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly

O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen

O4 - HKCU\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);

O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:

O4 - HKCU\..\Run: [ s=screen.width;v=navigator.app] c:\WINDOWS\System32\ s=screen.width;v=navigator.appName

O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}

O4 - HKCU\..\Run: [ j=navigator.javaEnabl] c:\WINDOWS\System32\ j=navigator.javaEnabled()

O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0

O4 - HKCU\..\Run: [ if (NS2Ch == ] c:\WINDOWS\System32\ if (NS2Ch == 0) {

O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName

O4 - HKCU\..\Run: [else {c=screen.pixelDe] c:\WINDOWS\System32\else {c=screen.pixelDepth}

O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()

O4 - HKCU\..\Run: [NS2] c:\WINDOWS\System32\NS2Ch=0

O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {

O16 - DPF: {11113111-1411-1611-8111-111111111413} - mhtml:file://c:\nul.mht!http://www.capital-systems.net//browser.exe

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab


Restart to safe mode.

How to start your computer in safe mode

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Finally after you have done the above, rescan with the new version of Hijack This and post another log.
 

rotiro3

Thread Starter
Joined
Oct 9, 2004
Messages
10
That worked here is my current log

Logfile of HijackThis v1.98.2
Scan saved at 2:42:50 PM, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\netdl\Common Framework\FrameworkService.exe
C:\Program Files\netdl\antivirus\mcshield.exe
C:\Program Files\netdl\antivirus\vstskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\netdl\antivirus\SHSTAT.EXE
C:\Program Files\netdl\Common Framework\UpdaterUI.exe
C:\Documents and Settings\aim.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sarsh\My Documents\HijackThis\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\DOCUME~1\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\netdl\antivirus\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\netdl\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\aim.exe -cnetwait.odl
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094729074656
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O4 - HKLM\..\Run: [function SafeAddOnloa] c:\WINDOWS\System32\function SafeAddOnload(f)

O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {

O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){

O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();

O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()

O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))


Restart your computer.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top