Options
CWS... yuck
Can't get rid of these thru spyware destroyers:
Infection Name Location Risk
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA High
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE High
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
here's my log:
Logfile of HijackThis v1.99.1
Scan saved at 11:31:10 PM, on 5/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cray32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\apixu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLServiceHost.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Charles\Desktop\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {7BA9AD19-7629-4FB1-92B1-FC734EDC707B} - C:\WINDOWS\system32\d3dg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ehjirt] C:\WINDOWS\System32\ggwtqyke.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [*tapiad] C:\WINDOWS\Web\printers\tapiad.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [apixu.exe] C:\WINDOWS\system32\apixu.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3081ef329e9f48df0020/netzip/RdxIE601.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\cray32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
any and all help is greatly appreciated.
thanks.
chuck aka syl
Infection Name Location Risk
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA High
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE High
CWS.Searchx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
here's my log:
Logfile of HijackThis v1.99.1
Scan saved at 11:31:10 PM, on 5/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cray32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\apixu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLServiceHost.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Charles\Desktop\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {7BA9AD19-7629-4FB1-92B1-FC734EDC707B} - C:\WINDOWS\system32\d3dg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ehjirt] C:\WINDOWS\System32\ggwtqyke.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [*tapiad] C:\WINDOWS\Web\printers\tapiad.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [apixu.exe] C:\WINDOWS\system32\apixu.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3081ef329e9f48df0020/netzip/RdxIE601.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\cray32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
any and all help is greatly appreciated.
thanks.
chuck aka syl
0
Comments
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Make sure that you can VIEW ALL HIDDEN FILES.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgkca.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7BA9AD19-7629-4FB1-92B1-FC734EDC707B} - C:\WINDOWS\system32\d3dg32.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O4 - HKLM\..\Run: [apixu.exe] C:\WINDOWS\system32\apixu.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3081ef3...ip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\cray32.exe" /s (file missing)
Reboot your computer into SAFE MODE
Now run CWShredder, making sure to click "Fix".
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\system32\cray32.exe
C:\WINDOWS\system32\apixu.exe
C:\WINDOWS\system32\d3dg32.dll
C:\WINDOWS\gpl.dll
C:\WINDOWS\kgkca.dll
Run a full scan with Adaware.
Reboot your computer to go back to normal mode.
Please run at least two of these online scans.
Make sure they are set to clean automatically:
Panda Virus Scan
Bit Defender
TrendMicro Housecall
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scans.
Panda:
Incident Status Location
Spyware:Spyware/New.net No disinfected
C:\Program Files\NewDotNet\newdotnet6_38.dll
Spyware:Spyware/New.net No disinfected
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
Spyware:Spyware/New.net No disinfected
WindowsRegistry
Adware:Adware/KeenValue No disinfected
C:\Program Files\CommonFiles\Updater
Adware:Adware/PortalScan No disinfected C:\Program Files\Common Files\slmss
Adware:Adware/PowerScan No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\DOCUME~1\Charles\LOCALS~1\Temp\bs*.tmpbsx32
Adware:Adware/IPInsight No disinfected C:\DOCUME~1\Charles\LOCALS~1\Temp\conscorr.ini
Adware:Adware/Twain-Tech No disinfected C:\DOCUME~1\Charles\LOCALS~1\Temp\THI*.tmp
Adware:Adware/WildTangent No disinfected C:\Program Files\WILDTANGENT
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/404Search No disinfected C:\WINDOWS\System32\K404SearchSetup*.exe
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Charles\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Charles\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Charles\Local Settings\Temp\conscorr.ini
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_38.dll
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_38.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\apioq.exe
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\appeg.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\appmc.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\appnh.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\atlkc.exe
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\atlpj.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\atlsy.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\crjx.exe
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\d3gw32.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\d3hy32.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\gmlvo.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ipwc.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\mfcpo32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\msik.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\netft.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\nsoth.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\sdkfs.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\sdklv.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\shtrv.dll
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\sysdu32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\sysgb.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\syslx32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\system32\addzc32.exe
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\system32\apixh32.dll
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\appyk.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\ijssa.dll
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\ipin.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\jcnai.dll
Adware:Adware/404Search No disinfected C:\WINDOWS\system32\k404SearchSetup_MS14.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\system32\newdevin.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\system32\ntfa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\ntuk.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\ntwc32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\system32\sdkai32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\tdquy.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\vavjb.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\system32\winvq.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\xagyb.dll
BitDefender:
C:\Documents and Settings\Charles\Local Settings\Temp\MiniBug.exe: infected with Adware.Wheaterbug.A
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: infected with Adware.Wheaterbug.A
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
C:\Program Files\NewDotNet\newdotnet6_38.dll: infected with Application.Adware.NewDotNet.B
C:\Program Files\Norton AntiVirus\Quarantine\03725FCD=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\037509CA=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\046443E9=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\047515D7=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\04783FD3=>(Quarantine-2): infected with Java.Trojan.OpenConnection.F
C:\Program Files\Norton AntiVirus\Quarantine\05DF4A48=>(Quarantine-2): infected with Win32.Worm.Opanki.G
C:\Program Files\Norton AntiVirus\Quarantine\06CE2FBA=>(Quarantine-2): infected with Win32.Randex.1.Gen
C:\Program Files\Norton AntiVirus\Quarantine\08CC2415=>(Quarantine-2): infected with Java.Trojan.ClassLoader.J
C:\Program Files\Norton AntiVirus\Quarantine\0A5B5148=>(Quarantine-2): infected with Trojan.Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\0F922BA3.php=>(Quarantine-2): infected with Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\13ED247C=>(Quarantine-2): infected with Java.Trojan.OpenConnection.F
C:\Program Files\Norton AntiVirus\Quarantine\1AFD37AC=>(Quarantine-2): infected with Java.Trojan.Dropper.Beyond.C
C:\Program Files\Norton AntiVirus\Quarantine\1D0459D6=>(Quarantine-2): infected with Java.Trojan.Downloader.OpenConnection.V
C:\Program Files\Norton AntiVirus\Quarantine\26D602DA=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\28824EDF.dat=>(Quarantine-2): infected with Win32.Kindal.A@mm
C:\Program Files\Norton AntiVirus\Quarantine\29415E5A.htm=>(Quarantine-2): suspect Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\296C002B.htm=>(Quarantine-2): suspect Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\296F2A28.htm=>(Quarantine-2): suspect Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\2E1B21AA=>(Quarantine-2): infected with Java.Trojan.Downloader.OpenConnection.V
C:\Program Files\Norton AntiVirus\Quarantine\32C6656C.htm=>(Quarantine-2): infected with Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\33DC4C60.exe=>(Quarantine-2): infected with Trojan.StartPage.FG
C:\Program Files\Norton AntiVirus\Quarantine\3BB8032F=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4136724A.php=>(Quarantine-2): infected with Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\415A4023.class=>(Quarantine-2): infected with Trojan.Java.ClassLoader.C
C:\Program Files\Norton AntiVirus\Quarantine\418B35ED.class=>(Quarantine-2): infected with Trojan.Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\483F11B2=>(Quarantine-2): infected with Trojan.XEmu.A
C:\Program Files\Norton AntiVirus\Quarantine\49ED2CDD=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\4A32281E=>(Quarantine-2): infected with Trojan.Java.ClassLoader.Dummy.A
C:\Program Files\Norton AntiVirus\Quarantine\58803DEA=>(Quarantine-2): infected with Java.Trojan.OpenConnection.F
C:\Program Files\Norton AntiVirus\Quarantine\59397649.htm=>(Quarantine-2): infected with Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\5DE44EF4.dat=>(Quarantine-2): infected with Win32.P2P.Sddrop.B@mm
C:\Program Files\Norton AntiVirus\Quarantine\5EE643D8.dat=>(Quarantine-2): infected with Win32.Worm.P2P.SdDrop.C
C:\Program Files\Norton AntiVirus\Quarantine\5F4A7638.htm=>(Quarantine-2): infected with Exploit.Html.MhtRedir.Gen
C:\Program Files\Norton AntiVirus\Quarantine\63962726=>(Quarantine-2): infected with Win32.Randex.1.Gen
C:\Program Files\Norton AntiVirus\Quarantine\63C048F7=>(Quarantine-2): infected with Win32.Randex.1.Gen
C:\Program Files\Norton AntiVirus\Quarantine\64815732=>(Quarantine-2): infected with Trojan.Java.ClassLoader.Dummy.A
C:\Program Files\Norton AntiVirus\Quarantine\66126C41.exe=>(Quarantine-2): infected with Trojan.Dropper.Small.IJ
C:\Program Files\Norton AntiVirus\Quarantine\66792688=>(Quarantine-2): infected with Trojan.Java.ClassLoader.Dummy.A
C:\Program Files\Norton AntiVirus\Quarantine\6AE85D24=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6B81127C=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6BF84150=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\73B8271C.tmp=>(Quarantine-2): infected with Dropped:BAT.AutoDelete.A
C:\Program Files\Norton AntiVirus\Quarantine\7A9C2FD0=>(Quarantine-2): infected with Win32.Randex.1.Gen
C:\Program Files\Norton AntiVirus\Quarantine\7A9F59CC=>(Quarantine-2): infected with Win32.Randex.1.Gen
C:\Program Files\Norton AntiVirus\Quarantine\7C5F51E0=>(Quarantine-2): infected with Trojan.Dropper.Keenval.A
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP493\A0133584.com: infected with Win32.Worm.Opanki.G
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP494\A0133713.exe: infected with Win32.Worm.Opanki.G
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP496\A0134007.exe: infected with Win32.Randex.1.Gen
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP496\A0134008.exe: infected with Win32.Randex.1.Gen
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP496\A0134009.exe: infected with Win32.Randex.1.Gen
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP496\A0134010.dll: infected with Trojan.Dropper.Keenval.A
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP496\A0134580.exe: infected with Win32.Randex.1.Gen
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP498\A0135217.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP498\A0135368.dll: infected with Application.Adware.NewDotNet.A
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP498\A0135369.exe: infected with Application.Adware.NewDotNet.C
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP499\A0135497.exe: infected with Trojan.Downloader.Agent.BQ
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP499\A0135498.exe: infected with Trojan.Downloader.Agent.BQ
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP499\A0135499.exe: infected with Trojan.Downloader.Agent.BQ
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP499\A0135500.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP500\A0135706.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP500\A0135732.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP500\A0135738.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP500\A0135749.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135757.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135764.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135813.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135914.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135916.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP501\A0135918.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP502\A0135940.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP502\A0135941.dll: infected with Trojan.Downloader.Agent.NE
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP502\A0135957.DLL: infected with Adware.Wheaterbug.A
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP503\A0137100.EXE: infected with Application.Adware.NewDotNet.Dropper
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139876.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139877.exe: infected with Trojan.Downloader.Agent.BQ
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139884.EXE: infected with Application.UnhidePass.A
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139936.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139938.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139940.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139942.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139943.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139944.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139945.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139946.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139947.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139948.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139950.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139951.exe: infected with Trojan.Agent.BI
C:\System Volume Information\_restore{F93A4B31-2EE6-4FC3-8FF8-1C5A33D9C9AA}\RP508\A0139952.exe: infected with Trojan.Agent.BI
C:\WINDOWS\appnh.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\appzn.dll: infected with Trojan.Downloader.Agent.NE
C:\WINDOWS\atlkc.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\crjx.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\gmlvo.dll: infected with Trojan.StartPage.563
C:\WINDOWS\javars32.dll: infected with Trojan.Downloader.Agent.NE
C:\WINDOWS\javars32.dll: disinfection failed
C:\WINDOWS\javaxw32.dll: infected with Trojan.Downloader.Agent.NE
C:\WINDOWS\javaxw32.dll: disinfection failed
C:\WINDOWS\mfcpo32.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\mfcpo32.exe: disinfection failed
C:\WINDOWS\nsoth.dll: infected with Trojan.StartPage.563
C:\WINDOWS\nsoth.dll: deleted
C:\WINDOWS\sdklv.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\sdklv.exe: disinfection failed
C:\WINDOWS\sysdu32.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\sysdu32.exe: disinfection failed
C:\WINDOWS\syslx32.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\syslx32.exe: disinfection failed
C:\WINDOWS\system32\appyk.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\system32\appyk.exe: disinfection failed
C:\WINDOWS\system32\ijssa.dll: infected with Trojan.StartPage.563
C:\WINDOWS\system32\ijssa.dll: deleted
C:\WINDOWS\system32\ipin.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\system32\ipin.exe: disinfection failed
C:\WINDOWS\system32\jcnai.dll: infected with Trojan.StartPage.563
C:\WINDOWS\system32\jcnai.dll: deleted
C:\WINDOWS\system32\ntuk.exe: infected with Trojan.Agent.BI
C:\WINDOWS\system32\ntuk.exe: deleted
C:\WINDOWS\system32\ntwc32.exe: infected with Trojan.Downloader.Agent.BQ
C:\WINDOWS\system32\ntwc32.exe: disinfection failed
C:\WINDOWS\system32\sysvo32.dll: infected with Trojan.Downloader.Agent.NE
C:\WINDOWS\system32\sysvo32.dll: disinfection failed
C:\WINDOWS\system32\vavjb.dll: infected with Trojan.StartPage.563
C:\WINDOWS\system32\vavjb.dll: deleted
Hijack Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:30:42 PM, on 5/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110883~1\EE\AOLServiceHost.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Charles\Desktop\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlb.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ehjirt] C:\WINDOWS\System32\ggwtqyke.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [*tapiad] C:\WINDOWS\Web\printers\tapiad.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for your help,
strapping young lad
Click Start -> Control Panel -> Add/Remove Programs and uninstall this program if listed.
New.net Application
or
New.net Domains
If neither is listed, download and run this tool.
http://www.new.net/support/uninstall6_38.exe
Make sure that you can VIEW ALL HIDDEN FILES.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [ehjirt] C:\WINDOWS\System32\ggwtqyke.exe
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKCU\..\Run: [Windows Services] scmsg.exe
O4 - HKCU\..\RunServices: [Windows Services] scmsg.exe
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\System32\ggwtqyke.exe
C:\Program Files\CommonFiles\Updater
C:\Program Files\Common Files\slmss
C:\WINDOWS\System32\K404SearchSetup*.exe
C:\WINDOWS\appnh.exe
C:\WINDOWS\appzn.dll
C:\WINDOWS\atlkc.exe
C:\WINDOWS\crjx.exe
C:\WINDOWS\gmlvo.dll
C:\WINDOWS\javars32.dll
C:\WINDOWS\javaxw32.dll
C:\WINDOWS\mfcpo32.exe
C:\WINDOWS\sdklv.exe
C:\WINDOWS\sysdu32.exe
C:\WINDOWS\syslx32.exe
C:\WINDOWS\system32\appyk.exe
C:\WINDOWS\system32\ipin.exe
C:\WINDOWS\system32\ntwc32.exe
C:\WINDOWS\system32\sysvo32.dll
C:\WINDOWS\appnh.exe
C:\WINDOWS\atlkc.exe
C:\WINDOWS\crjx.exe
C:\WINDOWS\gmlvo.dll
C:\WINDOWS\mfcpo32.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\nsoth.dll
C:\WINDOWS\sdklv.exe
C:\WINDOWS\shtrv.dll
C:\WINDOWS\sysdu32.exe
C:\WINDOWS\syslx32.exe
C:\WINDOWS\system32\appyk.exe
C:\WINDOWS\system32\ijssa.dll
C:\WINDOWS\system32\ipin.exe
C:\WINDOWS\system32\jcnai.dll
C:\WINDOWS\system32\k404SearchSetup_MS14.exe
C:\WINDOWS\system32\newdevin.exe
C:\WINDOWS\system32\ntuk.exe
C:\WINDOWS\system32\ntwc32.exe
C:\WINDOWS\system32\tdquy.dll
C:\WINDOWS\system32\vavjb.dll
C:\WINDOWS\system32\xagyb.dll
Reboot your computer to go back to normal mode and post a new log.