how do i get rid of shopping wizard? [Archive]

View Full Version : how do i get rid of shopping wizard?

Joe The One

12 Jun 2005, 2:43am

Hey guys, im a real rookie when it comes to deleting trojans and stuff, i just usually use my anti-virus programs, but i recently got something called "shopping wizard" and i can't et rid of it, so here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:44 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\addby32.exe
C:\WINDOWS\system32\apipj32.exe
C:\Documents and Settings\Ron\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DA50B851-33CA-06EB-529C-7E0AD96F9CAC} - C:\WINDOWS\atlav.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Azk45X3S.exe
O4 - HKLM\..\Run: [ljojlcojmogk] C:\WINDOWS\System32\zarbhxf.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [le] C:\documents and settings\ron\local settings\temp\le.exe
O4 - HKLM\..\Run: [AAjs] C:\documents and settings\ron\local settings\temp\AAjs.exe
O4 - HKLM\..\Run: [27oS3ES] ntpcli.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ybrowser.exe] C:\Program Files\Yahoo!\browser\ybrowser.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [apidl.exe] C:\WINDOWS\system32\apidl.exe
O4 - HKLM\..\Run: [crsl32.exe] C:\WINDOWS\system32\crsl32.exe
O4 - HKLM\..\Run: [d3fk32.exe] C:\WINDOWS\system32\d3fk32.exe
O4 - HKLM\..\Run: [ieri.exe] C:\WINDOWS\system32\ieri.exe
O4 - HKLM\..\Run: [javanq.exe] C:\WINDOWS\system32\javanq.exe
O4 - HKLM\..\Run: [addln32.exe] C:\WINDOWS\system32\addln32.exe
O4 - HKLM\..\Run: [atlfg32.exe] C:\WINDOWS\system32\atlfg32.exe
O4 - HKLM\..\Run: [crbj32.exe] C:\WINDOWS\system32\crbj32.exe
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [mfcdu.exe] C:\WINDOWS\system32\mfcdu.exe
O4 - HKLM\..\Run: [netun.exe] C:\WINDOWS\system32\netun.exe
O4 - HKLM\..\Run: [atltv.exe] C:\WINDOWS\system32\atltv.exe
O4 - HKLM\..\Run: [apipv.exe] C:\WINDOWS\system32\apipv.exe
O4 - HKLM\..\Run: [mfcen32.exe] C:\WINDOWS\system32\mfcen32.exe
O4 - HKLM\..\Run: [iekc32.exe] C:\WINDOWS\system32\iekc32.exe
O4 - HKLM\..\Run: [d3sr.exe] C:\WINDOWS\d3sr.exe
O4 - HKLM\..\Run: [addzg.exe] C:\WINDOWS\addzg.exe
O4 - HKLM\..\Run: [ipzd.exe] C:\WINDOWS\ipzd.exe
O4 - HKLM\..\Run: [d3jd32.exe] C:\WINDOWS\d3jd32.exe
O4 - HKLM\..\Run: [javaox.exe] C:\WINDOWS\system32\javaox.exe
O4 - HKLM\..\Run: [mfcgs.exe] C:\WINDOWS\system32\mfcgs.exe
O4 - HKLM\..\Run: [addle.exe] C:\WINDOWS\addle.exe
O4 - HKLM\..\Run: [ntlr.exe] C:\WINDOWS\system32\ntlr.exe
O4 - HKLM\..\Run: [atlhl32.exe] C:\WINDOWS\atlhl32.exe
O4 - HKLM\..\Run: [atlni32.exe] C:\WINDOWS\system32\atlni32.exe
O4 - HKLM\..\Run: [d3zl.exe] C:\WINDOWS\d3zl.exe
O4 - HKLM\..\Run: [msfy.exe] C:\WINDOWS\system32\msfy.exe
O4 - HKLM\..\Run: [crtv.exe] C:\WINDOWS\system32\crtv.exe
O4 - HKLM\..\Run: [ntrk.exe] C:\WINDOWS\ntrk.exe
O4 - HKLM\..\Run: [ntyx.exe] C:\WINDOWS\system32\ntyx.exe
O4 - HKLM\..\Run: [sdkje.exe] C:\WINDOWS\sdkje.exe
O4 - HKLM\..\Run: [apioq.exe] C:\WINDOWS\apioq.exe
O4 - HKLM\..\Run: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\Run: [iptd32.exe] C:\WINDOWS\system32\iptd32.exe
O4 - HKLM\..\Run: [nettz.exe] C:\WINDOWS\system32\nettz.exe
O4 - HKLM\..\Run: [iebf.exe] C:\WINDOWS\iebf.exe
O4 - HKLM\..\Run: [mfczu32.exe] C:\WINDOWS\system32\mfczu32.exe
O4 - HKLM\..\Run: [apith32.exe] C:\WINDOWS\apith32.exe
O4 - HKLM\..\Run: [netbh32.exe] C:\WINDOWS\system32\netbh32.exe
O4 - HKLM\..\Run: [atlqv.exe] C:\WINDOWS\system32\atlqv.exe
O4 - HKLM\..\Run: [sysut32.exe] C:\WINDOWS\system32\sysut32.exe
O4 - HKLM\..\Run: [ntth32.exe] C:\WINDOWS\system32\ntth32.exe
O4 - HKLM\..\Run: [javajn.exe] C:\WINDOWS\system32\javajn.exe
O4 - HKLM\..\Run: [ntso.exe] C:\WINDOWS\ntso.exe
O4 - HKLM\..\Run: [sdkrq32.exe] C:\WINDOWS\system32\sdkrq32.exe
O4 - HKLM\..\Run: [netgz32.exe] C:\WINDOWS\netgz32.exe
O4 - HKLM\..\Run: [msfp.exe] C:\WINDOWS\msfp.exe
O4 - HKLM\..\Run: [mfcgc32.exe] C:\WINDOWS\system32\mfcgc32.exe
O4 - HKLM\..\Run: [winlb.exe] C:\WINDOWS\system32\winlb.exe
O4 - HKLM\..\Run: [iedb32.exe] C:\WINDOWS\system32\iedb32.exe
O4 - HKLM\..\Run: [appgd32.exe] C:\WINDOWS\appgd32.exe
O4 - HKLM\..\Run: [atlzi.exe] C:\WINDOWS\system32\atlzi.exe
O4 - HKLM\..\Run: [javant.exe] C:\WINDOWS\javant.exe
O4 - HKLM\..\Run: [ntky32.exe] C:\WINDOWS\system32\ntky32.exe
O4 - HKLM\..\Run: [sdkhb.exe] C:\WINDOWS\sdkhb.exe
O4 - HKLM\..\Run: [ntvs32.exe] C:\WINDOWS\system32\ntvs32.exe
O4 - HKLM\..\Run: [msbn.exe] C:\WINDOWS\msbn.exe
O4 - HKLM\..\Run: [addrf.exe] C:\WINDOWS\addrf.exe
O4 - HKLM\..\Run: [apiuo32.exe] C:\WINDOWS\system32\apiuo32.exe
O4 - HKLM\..\Run: [msqb32.exe] C:\WINDOWS\msqb32.exe
O4 - HKLM\..\Run: [addlj32.exe] C:\WINDOWS\system32\addlj32.exe
O4 - HKLM\..\Run: [netet32.exe] C:\WINDOWS\netet32.exe
O4 - HKLM\..\Run: [winao.exe] C:\WINDOWS\winao.exe
O4 - HKLM\..\Run: [msml32.exe] C:\WINDOWS\system32\msml32.exe
O4 - HKLM\..\Run: [sysbh.exe] C:\WINDOWS\system32\sysbh.exe
O4 - HKLM\..\Run: [appml32.exe] C:\WINDOWS\system32\appml32.exe
O4 - HKLM\..\Run: [ipgs32.exe] C:\WINDOWS\ipgs32.exe
O4 - HKLM\..\Run: [mslf.exe] C:\WINDOWS\mslf.exe
O4 - HKLM\..\Run: [ipqa32.exe] C:\WINDOWS\system32\ipqa32.exe
O4 - HKLM\..\Run: [msaz.exe] C:\WINDOWS\msaz.exe
O4 - HKLM\..\Run: [apipj32.exe] C:\WINDOWS\system32\apipj32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKLM\..\RunOnce: [d3ky.exe] C:\WINDOWS\system32\d3ky.exe
O4 - HKLM\..\RunOnce: [apixp32.exe] C:\WINDOWS\system32\apixp32.exe
O4 - HKLM\..\RunOnce: [ieek32.exe] C:\WINDOWS\ieek32.exe
O4 - HKLM\..\RunOnce: [addby32.exe] C:\WINDOWS\addby32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://ehttp.cc/?
O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?error=
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://serversb/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metzinger.local
O17 - HKLM\Software\..\Telephony: DomainName = metzinger.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metzinger.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F��#��`I) - Unknown owner - C:\WINDOWS\system32\winij.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

any help would really be appreciated! thanx

Crunchie

12 Jun 2005, 5:25am

You have some entries there that need removing...

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

You'll need to download uninst.exe (http://www.memorywatcher.com/uninst.exe) to remove the 'peper' infection, then:

1. run uninst.exe ... (first pass).
2. reboot your computer.
3. run uninst.exe ... (final pass).

Note: You must have an active internet connection, each time this program is run, for it to properly work.

===============

Download CWShredder 2.14 from here. (http://www.intermute.com/products/cwshredder.html) Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

-

Download, unzip to your desktop About:Buster (www.malwarebytes.biz/AboutBuster5.zip) and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Click "Start".

(Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.

9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jlpib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {DA50B851-33CA-06EB-529C-7E0AD96F9CAC} - C:\WINDOWS\atlav.dll

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Azk45X3S.exe
O4 - HKLM\..\Run: [ljojlcojmogk] C:\WINDOWS\System32\zarbhxf.exe
O4 - HKLM\..\Run: [le] C:\documents and settings\ron\local settings\temp\le.exe
O4 - HKLM\..\Run: [AAjs] C:\documents and settings\ron\local settings\temp\AAjs.exe
O4 - HKLM\..\Run: [27oS3ES] ntpcli.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKLM\..\Run: [apidl.exe] C:\WINDOWS\system32\apidl.exe
O4 - HKLM\..\Run: [crsl32.exe] C:\WINDOWS\system32\crsl32.exe
O4 - HKLM\..\Run: [d3fk32.exe] C:\WINDOWS\system32\d3fk32.exe
O4 - HKLM\..\Run: [ieri.exe] C:\WINDOWS\system32\ieri.exe
O4 - HKLM\..\Run: [javanq.exe] C:\WINDOWS\system32\javanq.exe
O4 - HKLM\..\Run: [addln32.exe] C:\WINDOWS\system32\addln32.exe
O4 - HKLM\..\Run: [atlfg32.exe] C:\WINDOWS\system32\atlfg32.exe
O4 - HKLM\..\Run: [crbj32.exe] C:\WINDOWS\system32\crbj32.exe
O4 - HKLM\..\Run: [netfd.exe] C:\WINDOWS\system32\netfd.exe
O4 - HKLM\..\Run: [mfcdu.exe] C:\WINDOWS\system32\mfcdu.exe
O4 - HKLM\..\Run: [netun.exe] C:\WINDOWS\system32\netun.exe
O4 - HKLM\..\Run: [atltv.exe] C:\WINDOWS\system32\atltv.exe
O4 - HKLM\..\Run: [apipv.exe] C:\WINDOWS\system32\apipv.exe
O4 - HKLM\..\Run: [mfcen32.exe] C:\WINDOWS\system32\mfcen32.exe
O4 - HKLM\..\Run: [iekc32.exe] C:\WINDOWS\system32\iekc32.exe
O4 - HKLM\..\Run: [d3sr.exe] C:\WINDOWS\d3sr.exe
O4 - HKLM\..\Run: [addzg.exe] C:\WINDOWS\addzg.exe
O4 - HKLM\..\Run: [ipzd.exe] C:\WINDOWS\ipzd.exe
O4 - HKLM\..\Run: [d3jd32.exe] C:\WINDOWS\d3jd32.exe
O4 - HKLM\..\Run: [javaox.exe] C:\WINDOWS\system32\javaox.exe
O4 - HKLM\..\Run: [mfcgs.exe] C:\WINDOWS\system32\mfcgs.exe
O4 - HKLM\..\Run: [addle.exe] C:\WINDOWS\addle.exe
O4 - HKLM\..\Run: [ntlr.exe] C:\WINDOWS\system32\ntlr.exe
O4 - HKLM\..\Run: [atlhl32.exe] C:\WINDOWS\atlhl32.exe
O4 - HKLM\..\Run: [atlni32.exe] C:\WINDOWS\system32\atlni32.exe
O4 - HKLM\..\Run: [d3zl.exe] C:\WINDOWS\d3zl.exe
O4 - HKLM\..\Run: [msfy.exe] C:\WINDOWS\system32\msfy.exe
O4 - HKLM\..\Run: [crtv.exe] C:\WINDOWS\system32\crtv.exe
O4 - HKLM\..\Run: [ntrk.exe] C:\WINDOWS\ntrk.exe
O4 - HKLM\..\Run: [ntyx.exe] C:\WINDOWS\system32\ntyx.exe
O4 - HKLM\..\Run: [sdkje.exe] C:\WINDOWS\sdkje.exe
O4 - HKLM\..\Run: [apioq.exe] C:\WINDOWS\apioq.exe
O4 - HKLM\..\Run: [netzu.exe] C:\WINDOWS\system32\netzu.exe
O4 - HKLM\..\Run: [iptd32.exe] C:\WINDOWS\system32\iptd32.exe
O4 - HKLM\..\Run: [nettz.exe] C:\WINDOWS\system32\nettz.exe
O4 - HKLM\..\Run: [iebf.exe] C:\WINDOWS\iebf.exe
O4 - HKLM\..\Run: [mfczu32.exe] C:\WINDOWS\system32\mfczu32.exe
O4 - HKLM\..\Run: [apith32.exe] C:\WINDOWS\apith32.exe
O4 - HKLM\..\Run: [netbh32.exe] C:\WINDOWS\system32\netbh32.exe
O4 - HKLM\..\Run: [atlqv.exe] C:\WINDOWS\system32\atlqv.exe
O4 - HKLM\..\Run: [sysut32.exe] C:\WINDOWS\system32\sysut32.exe
O4 - HKLM\..\Run: [ntth32.exe] C:\WINDOWS\system32\ntth32.exe
O4 - HKLM\..\Run: [javajn.exe] C:\WINDOWS\system32\javajn.exe
O4 - HKLM\..\Run: [ntso.exe] C:\WINDOWS\ntso.exe
O4 - HKLM\..\Run: [sdkrq32.exe] C:\WINDOWS\system32\sdkrq32.exe
O4 - HKLM\..\Run: [netgz32.exe] C:\WINDOWS\netgz32.exe
O4 - HKLM\..\Run: [msfp.exe] C:\WINDOWS\msfp.exe
O4 - HKLM\..\Run: [mfcgc32.exe] C:\WINDOWS\system32\mfcgc32.exe
O4 - HKLM\..\Run: [winlb.exe] C:\WINDOWS\system32\winlb.exe
O4 - HKLM\..\Run: [iedb32.exe] C:\WINDOWS\system32\iedb32.exe
O4 - HKLM\..\Run: [appgd32.exe] C:\WINDOWS\appgd32.exe
O4 - HKLM\..\Run: [atlzi.exe] C:\WINDOWS\system32\atlzi.exe
O4 - HKLM\..\Run: [javant.exe] C:\WINDOWS\javant.exe
O4 - HKLM\..\Run: [ntky32.exe] C:\WINDOWS\system32\ntky32.exe
O4 - HKLM\..\Run: [sdkhb.exe] C:\WINDOWS\sdkhb.exe
O4 - HKLM\..\Run: [ntvs32.exe] C:\WINDOWS\system32\ntvs32.exe
O4 - HKLM\..\Run: [msbn.exe] C:\WINDOWS\msbn.exe
O4 - HKLM\..\Run: [addrf.exe] C:\WINDOWS\addrf.exe
O4 - HKLM\..\Run: [apiuo32.exe] C:\WINDOWS\system32\apiuo32.exe
O4 - HKLM\..\Run: [msqb32.exe] C:\WINDOWS\msqb32.exe
O4 - HKLM\..\Run: [addlj32.exe] C:\WINDOWS\system32\addlj32.exe
O4 - HKLM\..\Run: [netet32.exe] C:\WINDOWS\netet32.exe
O4 - HKLM\..\Run: [winao.exe] C:\WINDOWS\winao.exe
O4 - HKLM\..\Run: [msml32.exe] C:\WINDOWS\system32\msml32.exe
O4 - HKLM\..\Run: [sysbh.exe] C:\WINDOWS\system32\sysbh.exe
O4 - HKLM\..\Run: [appml32.exe] C:\WINDOWS\system32\appml32.exe
O4 - HKLM\..\Run: [ipgs32.exe] C:\WINDOWS\ipgs32.exe
O4 - HKLM\..\Run: [mslf.exe] C:\WINDOWS\mslf.exe
O4 - HKLM\..\Run: [ipqa32.exe] C:\WINDOWS\system32\ipqa32.exe
O4 - HKLM\..\Run: [msaz.exe] C:\WINDOWS\msaz.exe
O4 - HKLM\..\Run: [apipj32.exe] C:\WINDOWS\system32\apipj32.exe
O4 - HKLM\..\RunOnce: [d3ky.exe] C:\WINDOWS\system32\d3ky.exe
O4 - HKLM\..\RunOnce: [apixp32.exe] C:\WINDOWS\system32\apixp32.exe
O4 - HKLM\..\RunOnce: [ieek32.exe] C:\WINDOWS\ieek32.exe
O4 - HKLM\..\RunOnce: [addby32.exe] C:\WINDOWS\addby32.exe
O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe

O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://ehttp.cc/?
O13 - Home Prefix: http://%62%69%67%62%72%2E%63%63?error=
O13 - Mosaic Prefix: http://%62%69%67%62%72%2E%63%63?error=

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F��#��`I) - Unknown owner - C:\WINDOWS\system32\winij.exe (file missing)

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\addby32.exe
C:\WINDOWS\system32\apipj32.exe
C:\WINDOWS\jlpib.dll
C:\WINDOWS\atlav.dll
C:\WINDOWS\System32\Azk45X3S.exe
C:\WINDOWS\System32\zarbhxf.exe
C:\documents and settings\ron\local settings\temp\le.exe
C:\documents and settings\ron\local settings\temp\AAjs.exe
C:\WINDOWS\System32\prvdi.exe
C:\WINDOWS\system32\apidl.exe
C:\WINDOWS\system32\crsl32.exe
C:\WINDOWS\system32\d3fk32.exe
C:\WINDOWS\system32\ieri.exe
C:\WINDOWS\system32\javanq.exe
C:\WINDOWS\system32\addln32.exe
C:\WINDOWS\system32\atlfg32.exe
C:\WINDOWS\system32\crbj32.exe
C:\WINDOWS\system32\netfd.exe
C:\WINDOWS\system32\mfcdu.exe
C:\WINDOWS\system32\netun.exe
C:\WINDOWS\system32\atltv.exe
C:\WINDOWS\system32\apipv.exe
C:\WINDOWS\system32\mfcen32.exe
C:\WINDOWS\system32\iekc32.exe
C:\WINDOWS\d3sr.exe
C:\WINDOWS\addzg.exe
C:\WINDOWS\ipzd.exe
C:\WINDOWS\d3jd32.exe
C:\WINDOWS\system32\javaox.exe
C:\WINDOWS\system32\mfcgs.exe
C:\WINDOWS\addle.exe
C:\WINDOWS\system32\ntlr.exe
C:\WINDOWS\atlhl32.exe
C:\WINDOWS\system32\atlni32.exe
C:\WINDOWS\d3zl.exe
C:\WINDOWS\system32\msfy.exe
C:\WINDOWS\system32\crtv.exe
C:\WINDOWS\ntrk.exe
C:\WINDOWS\system32\ntyx.exe
C:\WINDOWS\sdkje.exe
C:\WINDOWS\apioq.exe
C:\WINDOWS\system32\netzu.exe
C:\WINDOWS\system32\iptd32.exe
C:\WINDOWS\system32\nettz.exe
C:\WINDOWS\iebf.exe
C:\WINDOWS\system32\mfczu32.exe
C:\WINDOWS\apith32.exe
C:\WINDOWS\system32\netbh32.exe
C:\WINDOWS\system32\atlqv.exe
C:\WINDOWS\system32\sysut32.exe
C:\WINDOWS\system32\ntth32.exe
C:\WINDOWS\system32\javajn.exe
C:\WINDOWS\ntso.exe
C:\WINDOWS\system32\sdkrq32.exe
C:\WINDOWS\netgz32.exe
C:\WINDOWS\msfp.exe
C:\WINDOWS\system32\mfcgc32.exe
C:\WINDOWS\system32\winlb.exe
C:\WINDOWS\system32\iedb32.exe
C:\WINDOWS\appgd32.exe
C:\WINDOWS\system32\atlzi.exe
C:\WINDOWS\javant.exe
C:\WINDOWS\system32\ntky32.exe
C:\WINDOWS\sdkhb.exe
C:\WINDOWS\system32\ntvs32.exe
C:\WINDOWS\msbn.exe
C:\WINDOWS\addrf.exe
C:\WINDOWS\system32\apiuo32.exe
C:\WINDOWS\msqb32.exe
C:\WINDOWS\system32\addlj32.exe
C:\WINDOWS\netet32.exe
C:\WINDOWS\winao.exe
C:\WINDOWS\system32\msml32.exe
C:\WINDOWS\system32\sysbh.exe
C:\WINDOWS\system32\appml32.exe
C:\WINDOWS\ipgs32.exe
C:\WINDOWS\mslf.exe
C:\WINDOWS\system32\ipqa32.exe
C:\WINDOWS\msaz.exe
C:\WINDOWS\system32\d3ky.exe
C:\WINDOWS\system32\apixp32.exe
C:\WINDOWS\ieek32.exe

Search for...

ntpcli.exe
cmmcheck.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html). If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

Joe The One

13 Jun 2005, 3:52am

thanks, shopping wizard is now gone from my add/remove pregrams list, and i can use aim again. The only problem is that in the process i seem to have deleted my sbc yahoo browser. I can still use internet explorer, but i would like to know how i can get it back (if you happen to know how).

about:buster log:

AboutBuster 5.0 reference file 30
Scan started on [6/12/2005] at [6:53:33 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Active Setup Log.BAK:ctrsc
Removed Stream! C:\WINDOWS\CLOCK.AVI:kepdql
Removed Stream! C:\WINDOWS\CoD.INI:apytf
Removed Stream! C:\WINDOWS\COMSETUP.LOG:yxyvs
Removed Stream! C:\WINDOWS\CTACD.INI:fefgfp
Removed Stream! C:\WINDOWS\DELL.BMP:yeqlzr
Removed Stream! C:\WINDOWS\DirectX.log:nzlbpi
Removed Stream! C:\WINDOWS\doom3.ini:qfiqbb
Removed Stream! C:\WINDOWS\dyrij.txt:fzegjt
Removed Stream! C:\WINDOWS\EXPLORER.SCF:bgbevm
Removed Stream! C:\WINDOWS\FaxSetup.log:bshgl
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:yaomld
Removed Stream! C:\WINDOWS\hpinfo.lnk:ibhrff
Removed Stream! C:\WINDOWS\IEPatchUninstall.BAK:qiuda
Removed Stream! C:\WINDOWS\IEPatchUninstall.log:hkarm
Removed Stream! C:\WINDOWS\KB823182.log:krqms
Removed Stream! C:\WINDOWS\KB824141.log:yqylb
Removed Stream! C:\WINDOWS\KB825119.log:ktbie
Removed Stream! C:\WINDOWS\KB839643-DirectX9Uninst.log:rzqao
Removed Stream! C:\WINDOWS\MSMQINST.LOG:jkrst
Removed Stream! C:\WINDOWS\ntdtcsetup.log:bvflh
Removed Stream! C:\WINDOWS\OCGEN.LOG:evjmd
Removed Stream! C:\WINDOWS\OCMSN.LOG:bpkjm
Removed Stream! C:\WINDOWS\OCMSN.LOG:spccn
Removed Stream! C:\WINDOWS\PowerReg.dat:ltkpyt
Removed Stream! C:\WINDOWS\Q327979.log:rmgak
Removed Stream! C:\WINDOWS\Q329112.log:ktphdu
Removed Stream! C:\WINDOWS\Q813862.log:vuasah
Removed Stream! C:\WINDOWS\Q816981.log:pqkik
Removed Stream! C:\WINDOWS\Q817472.log:nvkfur
Removed Stream! C:\WINDOWS\SYSTEM.INI:iidrdd
Removed Stream! C:\WINDOWS\SYSTEM.INI:lkwes
Removed Stream! C:\WINDOWS\ufjez.dat:bjwxff
Removed Stream! C:\WINDOWS\VB.INI:zseopk
Removed Stream! C:\WINDOWS\WINNT.BMP:dizil
Removed Stream! C:\WINDOWS\xpsp1hfm.log:yonkkf
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bcvkx
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bgzhkd
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:bpycga
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:chiyxz
Removed Stream! C:\WINDOWS\_DEFAULT.PIF:cqnwd
------------------------------------------------
Removed File! : C:\Windows\addrj.exe
Removed File! : C:\Windows\appau.exe
Removed File! : C:\Windows\atlvx.exe
Removed File! : C:\Windows\atlxi32.exe
Removed File! : C:\Windows\crkn32.exe
Removed File! : C:\Windows\croy32.exe
Removed File! : C:\Windows\crpr32.exe
Removed File! : C:\Windows\iehu.exe
Removed File! : C:\Windows\javarl32.exe
Removed File! : C:\Windows\msvu.exe
Removed File! : C:\Windows\netcd32.exe
Removed File! : C:\Windows\netlp32.exe
Removed File! : C:\Windows\netur32.exe
Removed File! : C:\Windows\netwx32.exe
Removed File! : C:\Windows\ntfb.exe
Removed File! : C:\Windows\sysck.exe
Removed File! : C:\Windows\sysfq.exe
Removed File! : C:\Windows\ufjez.dat
Removed File! : C:\Windows\winvv32.exe
Removed File! : C:\Windows\winwn.exe
Removed File! : C:\Windows\System32\addoo32.exe
Removed File! : C:\Windows\System32\appwb.exe
Removed File! : C:\Windows\System32\atluv.exe
Removed File! : C:\Windows\System32\bgeop.dat
Removed File! : C:\Windows\System32\d3zf.exe
Removed File! : C:\Windows\System32\ipld32.exe
Removed File! : C:\Windows\System32\javabz32.exe
Removed File! : C:\Windows\System32\mfcts32.exe
Removed File! : C:\Windows\System32\mscs32.exe
Removed File! : C:\Windows\System32\netji32.exe
Removed File! : C:\Windows\System32\netyh.exe
Removed File! : C:\Windows\System32\nhwsl.dat
Removed File! : C:\Windows\System32\nthst32.dll
Removed File! : C:\Windows\System32\qikmj.dat
Removed File! : C:\Windows\System32\sdkpn.exe
Removed File! : C:\Windows\System32\sysqi.exe
Removed File! : C:\Windows\System32\sysue32.exe
Removed File! : C:\Windows\System32\syszb.exe
Removed File! : C:\Windows\System32\winyu32.exe
Removed File! : C:\Windows\System32\wzknl.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:54:26 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:44:54 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SBC Self Support Tool\bin\MotiveBrowser.exe
C:\Program Files\Games\Spyware removal tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://serversb/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metzinger.local
O17 - HKLM\Software\..\Telephony: DomainName = metzinger.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metzinger.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

thanx for all the help!

Crunchie

13 Jun 2005, 11:05am

You have some entries there that need removing. With the SBC Yahoo Browser, I do not know anything about it. Can you reinstall it at all?

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

Search for...

cmmcheck.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

Joe The One

14 Jun 2005, 4:43am

Thaks again for all the help, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:17 PM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Games\Spyware removal tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [McSpyVirusMap] c:\progra~1\mcafee\MCAFEE~1\McSpy.exe /cmd:VirusMap
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://serversb/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metzinger.local
O17 - HKLM\Software\..\Telephony: DomainName = metzinger.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metzinger.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Crunchie

14 Jun 2005, 10:37am

You have a few more entries there that need removing.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

O4 - HKCU\..\Run: [Jw72ROepe] cmmcheck.exe

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

Search for...

cmmcheck.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.