HSA-help please
TonyMontana
Charlotte, NC
hi all. i tried to use your hsa removal guide but it didnt work. here's my hijak this log file. could use some help plz ty!
Logfile of HijackThis v1.99.1
Scan saved at 6:38:32 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\msxe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\sdkpm32.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\kashyap\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C8B127F3-B154-FA38-4A64-BAAF01543DCD} - C:\WINDOWS\system32\sysks.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\System32\Bundleware_p5.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msxe.exe] C:\WINDOWS\msxe.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VdDVn.exe] C:\WINDOWS\system32\VdDVn.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunOnce: [sdkpm32.exe] C:\WINDOWS\sdkpm32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: SonicWALL VPN Client.lnk.disabled
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk.disabled
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syswf.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
Logfile of HijackThis v1.99.1
Scan saved at 6:38:32 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\msxe.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\sdkpm32.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\kashyap\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C8B127F3-B154-FA38-4A64-BAAF01543DCD} - C:\WINDOWS\system32\sysks.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\System32\Bundleware_p5.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msxe.exe] C:\WINDOWS\msxe.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VdDVn.exe] C:\WINDOWS\system32\VdDVn.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunOnce: [sdkpm32.exe] C:\WINDOWS\sdkpm32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msccof.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: SonicWALL VPN Client.lnk.disabled
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk.disabled
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syswf.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
0
Comments
http://cwshredder.net/bin/CWSInstall.exe
Download Ad-aware SE 1.05 from: http://www.majorgeeks.com/download506.html
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xwdyz.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C8B127F3-B154-FA38-4A64-BAAF01543DCD} - C:\WINDOWS\system32\sysks.dll
O4 - HKLM\..\Run: [VdDVn.exe] C:\WINDOWS\system32\VdDVn.exe
O4 - HKLM\..\RunOnce: [sdkpm32.exe] C:\WINDOWS\sdkpm32.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syswf.exe (file missing)
Reboot your computer into Safe Mode
Now run CWShredder, making sure to click "Fix".
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\syswf.exe
C:\WINDOWS\sdkpm32.exe
C:\WINDOWS\xwdyz.dll
C:\WINDOWS\system32\VdDVn.exe
C:\WINDOWS\system32\sysks.dll
Run a full scan with Adaware.
Reboot your computer to go back to normal mode.
Please run at least two of these online scans.
Make sure they are set to clean automatically:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://housecall.trendmicro.com/housecall/start_corp.asp
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log.
here is my latest scan result. i dont no what i would do w/o comp.
experts like u guys! ty very much
Logfile of HijackThis v1.99.1
Scan saved at 9:07:21 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kashyap\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\System32\Bundleware_p5.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: SonicWALL VPN Client.lnk.disabled
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk.disabled
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
Here is the panda result
Incident Status Location
Virus:W32/Sndc.A.worm Disinfected Operating system
Spyware:Spyware/CommonName No disinfected C:\WINDOWS\System32\winnet.ini
Adware:Adware/eZula No disinfected Windows Registry
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/WildTangent No disinfected Windows Registry
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\Cards.ico
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\kashyap\Favorites\Sites about\Ab scissor.url
Adware:Adware/ESyndicate No disinfected Windows Registry
Virus:Trj/Dropper.DT Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6TYJMBY9\silent_install[1].exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3xf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\atlpi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\apizj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sysfd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\crzg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3sh.exe
Spyware:Spyware/CommonName No disinfected C:\WINDOWS\system32\winnet.ini
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\sysuo32.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\bmqix.dll
Adware:Adware/BrowsePal No disinfected C:\WINDOWS\system32\ctbv2.dll
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Kazaa Lite 4.0 new.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears Sexy archive.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Kazaa new.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears porn.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter all e.book.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney sex xxx.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter 1-6 book.txt.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears blowjob.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter e book.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears cumshot.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears ****.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter game.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Harry Potter 5.mpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears and Eminem porn.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Matrix.mpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears Song text archive.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears full album.mp3.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem.mp3.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Britney Spears.mp3.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem Song text archive.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem Sexy archive.doc.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem full album.mp3.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem Spears porn.jpg.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Ringtones.mp3.exe
Virus:W32/Netsky.P.worm Disinfected C:\WINDOWS\system32\Macromed\Shockwave 8\Xtras\download\ElectronicInk\PrintOMaticXtra165\Eminem sex xxx.jpg.exe
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
This should remove those 015 entries.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\System32\Bundleware_p5.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\System32\Keyhost.exe
C:\WINDOWS\System32\Bundleware_p5.exe
C:\Program Files\Common Files\slmss
C:\PROGRA~1\AUTOUP~1
C:\WINDOWS\System32\winnet.ini
C:\WINDOWS\System32\Cards.ico
C:\WINDOWS\system32\d3xf32.exe
C:\WINDOWS\system32\atlpi.exe
C:\WINDOWS\system32\apizj.exe
C:\WINDOWS\system32\sysfd32.exe
C:\WINDOWS\system32\crzg32.exe
C:\WINDOWS\system32\d3sh.exe
C:\WINDOWS\system32\sysuo32.exe
C:\WINDOWS\system32\bmqix.dll
C:\WINDOWS\system32\ctbv2.dll
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot your computer to go back to normal mode.
Because Panda found Netsky, it would be a good idea to run another scan just to be sure that it's all gone.
Download and run Stinger. Let me know if it finds anything.
http://download.nai.com/products/mcafee-avert/stinger.exe
Reboot once more and post a new hijackthis log.