Home Search Assistant Problems

Unknown · August 2004

Hi!

My computer is infested with HSA, and I tried to go trough the Removal Guide to fix it. However, I didn't get past Step 8, because I can't get AboutBuster to start scanning :banghead: (It did update, though)

Am I just being absolutely useless, or have anyone else encountered this problem?

Anyway, I'll include my Hjt-log as well, and pray that sameone can give me some pointers on what to remove.

Thanks,
Chris :confused2

Logfile of HijackThis v1.98.2
Scan saved at 7:40:20 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mfcdf.exe
C:\WINDOWS\system32\d3pz.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rubso.dll/sp.html#27063
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21A1C882-1AE5-671F-4915-5766CC5C773C} - C:\WINDOWS\system32\msyr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iemg.exe] C:\WINDOWS\system32\iemg.exe
O4 - HKLM\..\Run: [d3pz.exe] C:\WINDOWS\system32\d3pz.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Druid: Download All Files - D:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - D:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - D:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/5.131.3659.0/xenrlinf.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

Dexter · August 2004

Others have had that problem with About:Buster. Do you get an error message about a file: "MSCOMCTL.OCX" ? If so, there is a fix:

http://www.javacoolsoftware.net/downloads/missingfilesetup.exe

If you get a different error, then skip that step, just manually remove the R0 and R1 entries with HJT. Proceed to Step 9 to locate and quarantine the infection files.

Let us know how it turns out.

Dexter...

Chris_Nor · August 2004

Right.

I tried to delete all of the R1 and R0 entries manually, and then proceeded through the rest of the removal guide. Unfortunately I came out on the losing end after the last reboot, the pest is still there!

A few questions along the path:

Step9/10: All the problem files were still in the folders when I looked. Is this normal? I did quarantine them, of course.

Step 11: I didn't find any of the 2 keys. Are they not supposed to be there?

Also, there was an entry in the hjt-file I was a bit unsure about, is this to be removed?
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

I've made a new log as well. Here it is:

Logfile of HijackThis v1.98.2
Scan saved at 6:15:19 PM, on 8/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mfcdf.exe
C:\WINDOWS\system32\javamq32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xnrbo.dll/sp.html#27063
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21A1C882-1AE5-671F-4915-5766CC5C773C} - C:\WINDOWS\system32\msyr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iemg.exe] C:\WINDOWS\system32\iemg.exe
O4 - HKLM\..\Run: [d3pz.exe] C:\WINDOWS\system32\d3pz.exe
O4 - HKLM\..\Run: [javamq32.exe] C:\WINDOWS\system32\javamq32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Druid: Download All Files - D:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - D:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - D:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/5.131.3659.0/xenrlinf.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

Dexter · August 2004

Chris_Nor wrote:

Step9/10: All the problem files were still in the folders when I looked. Is this normal? I did quarantine them, of course.

Yes, that is normal. HJT only removes the Registry entries for the files, but does not touch the files themselves. That is why quarantining them is important, as this helps prevent them from re-running.

Chris_Nor wrote:

Step 11: I didn't find any of the 2 keys. Are they not supposed to be there?

That information was taken from some specific cases, and will not apply to all cases. You may have some different entries, and without reviewing your registry it is imposible to know what they are. Do you have anything there that appears similar?

Chris_Nor wrote:

Also, there was an entry in the hjt-file I was a bit unsure about, is this to be removed?
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

Leave that: http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/

Ok, we need to know what service is reloading this on you. Please follow the instructions in this post to generate a list of your active services. Attach that list here, and I will look at it as soon as I can.

Dexter...

Chris_Nor · August 2004

Originally Posted by Dexter

Ok, we need to know what service is reloading this on you. Please follow the instructions in this post to generate a list of your active services. Attach that list here, and I will look at it as soon as I can.

The removal guide had been updated since I printed it out, and on running "sevices.msc", I found the Remote Procedure Call Helper

I stopped and disabled it, then proceeded through the rest of the guide. Unfortunately, still no luck in removing the HSA...

Should I still generate a list of the active services?

Originally Posted by Dexter

That information was taken from some specific cases, and will not apply to all cases. You may have some different entries, and without reviewing your registry it is imposible to know what they are. Do you have anything there that appears similar?

No, nothing that looks similar, at least not to my somewhat untrained eye...

Chris

Dexter · August 2004

Yes please, give me the active services list (in Normal mode, not safe mode.)

Dexter...

Chris_Nor · August 2004

All right, here's the Active list.

Chris

These are the Current Active Services:

Ati HotKey Poller: Ati HotKey Poller
C:\WINDOWS\System32\Ati2evxx.exe

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Symantec Event Manager: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Machine Debug Manager: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

Norton AntiVirus Auto Protect Service: navapsvc
"D:\Program Files\Norton AntiVirus\navapsvc.exe"

Remote Procedure Call (RPC) Helper: O?’ŽrtñåÈ²$Ó
C:\WINDOWS\system32\mfcdf.exe /s

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Sygate Personal Firewall: SmcService
D:\Program Files\Sygate\SPF\smc.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

Dexter · August 2004

Remote Procedure Call (RPC) Helper: O?’ŽrtñåÈ²$Ó
C:\WINDOWS\system32\mfcdf.exe /s

That is the service you need to stop. Repeat step 6 from the removal guide, but do it in Normal Mode. Stopand disable that service, then complete the rest of the guide in Safe Mode.

Dexter...

Chris_Nor · August 2004

SUCCESS!

Well, partially anyway. I finally got IE woking properly, and the pop-ups are all gone.
After a few attempts, I finally relized that I hadn't quarantined the .exe-file associated with the RPC Helper. With that one gone, the rest worked like a charm.

Thanks a lot for all the help so far, don't know what I'd do without it! (Except formatting my HD, maybe...)

However, I still have a concern: When running HJT now, a lot of nasty looking R1, R0 and 04-entries are still present. Shouldn't these be gone by now?

Chris

Dexter · August 2004

Great to hear

Please post a fresh HJT log and we'll helep you clean those out.

Dexter...

Chris_Nor · August 2004

Ok, here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 10:51:36 PM, on 8/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C0B52B25-F1C7-7AED-5588-35199E367342} - C:\WINDOWS\addvr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iemg.exe] C:\WINDOWS\system32\iemg.exe
O4 - HKLM\..\Run: [d3pz.exe] C:\WINDOWS\system32\d3pz.exe
O4 - HKLM\..\Run: [javamq32.exe] C:\WINDOWS\system32\javamq32.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [appcb.exe] C:\WINDOWS\appcb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Druid: Download All Files - D:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - D:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - D:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/5.131.3659.0/xenrlinf.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

Dexter · August 2004

Hard boot to Safe Mode, run HJT and FIX:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zdarm.dll/sp.html#27063
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C0B52B25-F1C7-7AED-5588-35199E367342} - C:\WINDOWS\addvr.dll (file missing)

O4 - HKLM\..\Run: [iemg.exe] C:\WINDOWS\system32\iemg.exe
O4 - HKLM\..\Run: [d3pz.exe] C:\WINDOWS\system32\d3pz.exe
O4 - HKLM\..\Run: [javamq32.exe] C:\WINDOWS\system32\javamq32.exe
O4 - HKLM\..\Run: [appcb.exe] C:\WINDOWS\appcb.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

Locate each dll and exe file in the entries above and quarantine them. Run about:buster again to look for any stragglers.

Hard boot to normal mode, check things out, and post another log for follow up.

Dexter...

Chris_Nor · November 2004

Hi!

Finally back again! There's been a fair number of installs/uninstalls on my computer since the last time I asked for your help.
I have tried to clean out the entries as you described it in the latest reply, but I encountered a problem: zdarm.dll and addvr.dll weren't in the folders where the log said they should be! The 04 and the 021-entries were not in the log at all...
Anyway, what I did was I used HijackThis to remove the entries you suggested, and I've now made a fresh log, and posted it at the end of this reply.
Could you please help me determine if I'm clean?

Cheers,

Chris

Latest log:
Logfile of HijackThis v1.97.7
Scan saved at 6:24:30 PM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
D:\Program Files\Norman\Nvc\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
D:\Program Files\CloneCD\CloneCDTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Logitech\SetPoint\KEM.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
D:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Downloads\Cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\InternetExplorer\SearchURL,(Default)=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [tgcmdStartup] wscript "C:\Program Files\Support.com\providersprt\actions\RunAtStartup.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norman ZANDA] D:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Druid: Download All Files - D:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - D:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Download (HKLM)
O9 - Extra 'Tools' menuitem: Druid: Download All Files (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Druid Bar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/5.131.3659.0/xenrlinf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.no/Quickfix2/asp/chelloInstall.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.no/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SpywareShooter · November 2004

Please upgrade to HijackThis version 1.98.2 and post a new log.

Chris_Nor · November 2004

All right :-)
Here's a log file made with version 1.98.2:

Logfile of HijackThis v1.98.2
Scan saved at 11:58:43 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
D:\Program Files\Norman\Nvc\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
D:\Program Files\CloneCD\CloneCDTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Logitech\SetPoint\KEM.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
D:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
D:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
D:\Downloads\Cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [tgcmdStartup] wscript "C:\Program Files\Support.com\providersprt\actions\RunAtStartup.vbs"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norman ZANDA] D:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Druid: Download All Files - D:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - D:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - D:\Program Files\XemiComputers\Download Druid\Druid.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - D:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/5.131.3659.0/xenrlinf.cab
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.no/Quickfix2/asp/chelloInstall.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.no/quickfix2/asp/LaunchApp.CAB
O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

SpywareShooter · November 2004

O21 - SSODL: System - {C6287561-B095-47EE-AFF6-3FC1C488B6F4} - C:\WINDOWS\system32\system32.dll

Fix that entry then find and delete system32.dll, reboot and post a new log.

Home Search Assistant Problems

Comments