Options
Can't get rid of lookfor variant
[very comp illiterate, so pls go slow; am now getting annoying alerts of attempts on IE add-ons every minute - HELP!]
Logfile of HijackThis v1.98.2
Scan saved at 4:34:49 PM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\WINDOWS\System32\qbwvks.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Acrobat\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\WINDOWS\system32\msfj32.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\iManage\Manage32.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\apixy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ocmsn.log:nekwp
C:\Documents and Settings\libatipt\My Documents\Downloads\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://insite/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WINGHAM
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {949904E4-8B9C-1AF2-B4D4-A0C153ADB130} - C:\WINDOWS\system32\javayv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [hvvtapw] C:\WINDOWS\System32\qbwvks.exe
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Check Outlook Profile.lnk = C:\WINDOWS\NEWPROF.EXE
O4 - Global Startup: Initialize iManage.lnk = C:\Program Files\iManage\iManservice.cmd
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\npzzatif.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.bdhr1
O15 - Trusted Zone: *.bosadm1
O15 - Trusted Zone: *.boselite8
O15 - Trusted Zone: *.boshr3
O15 - Trusted Zone: *.boshr4
O15 - Trusted Zone: *.bosweb1
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.insite
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cef16c3fffc8806120/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://bdhr1/wfc/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Wingham.com
O17 - HKLM\Software\..\Telephony: DomainName = Wingham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Wingham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Wingham.com
Logfile of HijackThis v1.98.2
Scan saved at 4:34:49 PM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\WINDOWS\System32\qbwvks.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Acrobat\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\WINDOWS\system32\msfj32.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\iManage\Manage32.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\apixy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ocmsn.log:nekwp
C:\Documents and Settings\libatipt\My Documents\Downloads\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insite/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://insite/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WINGHAM
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program files\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {949904E4-8B9C-1AF2-B4D4-A0C153ADB130} - C:\WINDOWS\system32\javayv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [hvvtapw] C:\WINDOWS\System32\qbwvks.exe
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Check Outlook Profile.lnk = C:\WINDOWS\NEWPROF.EXE
O4 - Global Startup: Initialize iManage.lnk = C:\Program Files\iManage\iManservice.cmd
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\npzzatif.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.bdhr1
O15 - Trusted Zone: *.bosadm1
O15 - Trusted Zone: *.boselite8
O15 - Trusted Zone: *.boshr3
O15 - Trusted Zone: *.boshr4
O15 - Trusted Zone: *.bosweb1
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.insite
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cef16c3fffc8806120/netzip/RdxIE601.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://bdhr1/wfc/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {EEF29D20-9A47-4657-ADF7-283EC2504001} - http://download.bigwebportal.com/winenc32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Wingham.com
O17 - HKLM\Software\..\Telephony: DomainName = Wingham.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Wingham.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Wingham.com
0
Comments
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhhbm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://insite/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WINGHAM
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {949904E4-8B9C-1AF2-B4D4-A0C153ADB130} - C:\WINDOWS\system32\javayv.dll
O4 - HKLM\..\Run: [hvvtapw] C:\WINDOWS\System32\qbwvks.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.bdhr1
O15 - Trusted Zone: *.bosadm1
O15 - Trusted Zone: *.boselite8
O15 - Trusted Zone: *.boshr3
O15 - Trusted Zone: *.boshr4
O15 - Trusted Zone: *.bosweb1
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.insite
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17cef16...ip/RdxIE601.cab
Fix those entries then find and delete the following files:
C:\WINDOWS\jhhbm.dll
C:\WINDOWS\system32\javayv.dll
C:\WINDOWS\System32\qbwvks.exe
C:\WINDOWS\ocmsn.log:nekwp
C:\WINDOWS\apixy.exe
C:\WINDOWS\system32\msfj32.exe
Then pull the plug on your computer and post a new log.
Also, do not reboot normally or use Internet Explorer (use Mozilla or Firefox instead) until I say your log is ok.