Help! I've been hijacked!

GruntGrunt Livermore, Calif.
edited August 2004 in Spyware & Virus Removal
Hi. I've been plagued by a browser hijacker and I've seen the tremendous help you guys have provided to others. I sure hope you can help me too.

I've run Adaware and Spybot after searching for updates. I've run CWShredder and HiJackThis. I ran all of these while in Safe Mode. Here is the HiJackThis log file. Any help would be greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 6:24:09 AM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hikjz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hikjz.dll/sp.html#37049
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F3AE5B8F-570D-9630-AF9D-BB9359426ED8} - C:\WINDOWS\mfcad.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [PLCMan] WinPlcMan.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe -r
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [netmr.exe] C:\WINDOWS\system32\netmr.exe
O4 - HKLM\..\RunOnce: [netpw32.exe] C:\WINDOWS\system32\netpw32.exe
O4 - HKLM\..\RunOnce: [sysal32.exe] C:\WINDOWS\sysal32.exe
O4 - HKLM\..\RunOnce: [mfcul32.exe] C:\WINDOWS\mfcul32.exe
O4 - HKLM\..\RunOnce: [sysfz32.exe] C:\WINDOWS\sysfz32.exe
O4 - HKLM\..\RunOnce: [d3oj32.exe] C:\WINDOWS\d3oj32.exe
O4 - HKLM\..\RunOnce: [apixn.exe] C:\WINDOWS\system32\apixn.exe
O4 - HKLM\..\RunOnce: [atltx32.exe] C:\WINDOWS\system32\atltx32.exe
O4 - HKLM\..\RunOnce: [iezm32.exe] C:\WINDOWS\system32\iezm32.exe
O4 - HKLM\..\RunOnce: [apilq.exe] C:\WINDOWS\apilq.exe
O4 - HKLM\..\RunOnce: [d3bf32.exe] C:\WINDOWS\system32\d3bf32.exe
O4 - HKLM\..\RunOnce: [mfclj.exe] C:\WINDOWS\mfclj.exe
O4 - HKLM\..\RunOnce: [msww.exe] C:\WINDOWS\msww.exe
O4 - HKLM\..\RunOnce: [netum.exe] C:\WINDOWS\system32\netum.exe
O4 - HKLM\..\RunOnce: [adddc.exe] C:\WINDOWS\system32\adddc.exe
O4 - HKLM\..\RunOnce: [crgu32.exe] C:\WINDOWS\crgu32.exe
O4 - HKLM\..\RunOnce: [ieqt32.exe] C:\WINDOWS\ieqt32.exe
O4 - HKLM\..\RunOnce: [ntas32.exe] C:\WINDOWS\ntas32.exe
O4 - HKLM\..\RunOnce: [winim32.exe] C:\WINDOWS\winim32.exe
O4 - HKLM\..\RunOnce: [netwi.exe] C:\WINDOWS\system32\netwi.exe
O4 - HKLM\..\RunOnce: [apiqo32.exe] C:\WINDOWS\system32\apiqo32.exe
O4 - HKLM\..\RunOnce: [addny.exe] C:\WINDOWS\addny.exe
O4 - HKLM\..\RunOnce: [atlbf.exe] C:\WINDOWS\atlbf.exe
O4 - HKLM\..\RunOnce: [appxw.exe] C:\WINDOWS\appxw.exe
O4 - HKLM\..\RunOnce: [d3sq.exe] C:\WINDOWS\d3sq.exe
O4 - HKLM\..\RunOnce: [iews.exe] C:\WINDOWS\iews.exe
O4 - HKLM\..\RunOnce: [ipxi32.exe] C:\WINDOWS\system32\ipxi32.exe
O4 - HKLM\..\RunOnce: [javaqk.exe] C:\WINDOWS\system32\javaqk.exe
O4 - HKLM\..\RunOnce: [atlgm32.exe] C:\WINDOWS\system32\atlgm32.exe
O4 - HKLM\..\RunOnce: [msdk.exe] C:\WINDOWS\msdk.exe
O4 - HKLM\..\RunOnce: [sysqd32.exe] C:\WINDOWS\system32\sysqd32.exe
O4 - HKLM\..\RunOnce: [d3wr32.exe] C:\WINDOWS\system32\d3wr32.exe
O4 - HKLM\..\RunOnce: [crqp.exe] C:\WINDOWS\crqp.exe
O4 - HKLM\..\RunOnce: [mfcyt32.exe] C:\WINDOWS\system32\mfcyt32.exe
O4 - HKLM\..\RunOnce: [msoz.exe] C:\WINDOWS\system32\msoz.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bearvalley.com/cgi-bin/AxisCamControl.ocx
O21 - SSODL: systemie - {E8E660C8-8DEA-4DC5-A46D-D35F1E9FEDC5} - sysie.dll (file missing)

Comments

  • DexterDexter Vancouver, BC Canada
    edited August 2004
    You have the Home Search Assistant hijack. Please see our Home Search Assistant Removal Guide.

    Dexter...
  • GruntGrunt Livermore, Calif.
    edited August 2004
    Hi. I've followed the removal guide and am still having trouble. I found Network Security Service and disabled it. I have the folders set to show hidden files. But still couldn't find the files I wanted to rename and move to quarantine. I also have a line in the HiJackThis log that is line O21. I didn't see it referred to in the instructions. But it looked suspicious to me so I checked it for fixing. But it came back. I meant to fix O15 but overlooked it. Doesn't seem like it would re-infect me though. Am I wrong? Here's my most recent log file:

    Logfile of HijackThis v1.98.2
    Scan saved at 12:00:03 AM, on 8/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Avast\aswUpdSv.exe
    C:\Avast\ashServ.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\WINDOWS\System32\WinPlcMan.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\BridgeDeCor.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\netmr.exe
    C:\Avast\ashDisp.exe
    C:\Avast\ashmaisv.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\msjr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {F3512289-B634-D7C1-9C21-CEC10846BE2E} - C:\WINDOWS\system32\mfcmc32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [PLCMan] WinPlcMan.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe -r
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [netmr.exe] C:\WINDOWS\system32\netmr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Avast\ashmaisv.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O15 - Trusted Zone: *.teen-me.com
    O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bearvalley.com/cgi-bin/AxisCamControl.ocx
    O21 - SSODL: systemie - {E8E660C8-8DEA-4DC5-A46D-D35F1E9FEDC5} - sysie.dll (file missing)

    Thanks again for any assistance you can provide.

    Russ
  • vanagon40vanagon40 Indiana Member
    edited August 2004
    In response to one of your questions, YES, if you miss (fail to remove) ANY part of the hijacker, it will likely come back. These guys have fantastic survival instints (although I do not believe the two entries you referenced are HSA related).

    Here are your problem entries for HSA:

    C:\WINDOWS\system32\netmr.exe

    C:\WINDOWS\msjr.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpffl.dll/sp.html#37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpffl.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kpffl.dll/sp.html#37049

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {F3512289-B634-D7C1-9C21-CEC10846BE2E} - C:\WINDOWS\system32\mfcmc32.dll

    O4 - HKLM\..\Run: [netmr.exe] C:\WINDOWS\system32\netmr.exe


    Also, this does not look good to me, I'd wipe it out:

    O15 - Trusted Zone: *.teen-me.com


    Finally, this is a remnant from the SISIE.A trojan (wipe it out also):

    O21 - SSODL: systemie - {E8E660C8-8DEA-4DC5-A46D-D35F1E9FEDC5} - sysie.dll (file missing)



    Try the HSA solution again, making sure you remove ALL problem entries. Let us know the results and post a new HJT log.
  • GruntGrunt Livermore, Calif.
    edited August 2004
    Thanks, Vanagon. You are awesome!! I think this did the trick. I opened the browser several times and got the proper home page each time. Hasn't done that for a long time. Here's the recent HiJackThis log. Thanks again!

    Logfile of HijackThis v1.98.2
    Scan saved at 9:28:29 PM, on 8/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Avast\aswUpdSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Avast\ashServ.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\WINDOWS\System32\WinPlcMan.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\WINDOWS\System32\BridgeDeCor.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Avast\ashDisp.exe
    C:\Avast\ashmaisv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.usatoday.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [PLCMan] WinPlcMan.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [BridgeDeCor] BridgeDeCor.exe -r
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Avast\ashmaisv.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.bearvalley.com/cgi-bin/AxisCamControl.ocx
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    vanagon40 wrote:

    Also, this does not look good to me, I'd wipe it out:

    O15 - Trusted Zone: *.teen-me.com


    Vanagaon, your suspicions are correct, any trusted zone entry that user has not entered themselves for a legit site should be fixed in HJT. "teen-me.com" is just a little too "porn" sounding to be in the trusted zone list.

    Grunt, that is a good looking log now :)

    Hope you stick around the site, we have lots of knowledgable folks here, some fun threads in our Pub forum, and definitely click the links in my signature to find out about our involvement with the Folding For A Cure project.


    Dexter...
This discussion has been closed.