Options
conflicted with websiteviewer
Hi everyone:
My computer is afected with Websiteviewer this afternoon. It creats a folder at C:\Program Files\WebSiteViewer with some 126376.exe and 126376.dlr files inside(maybe that's it's number!!)
Besides,everytime when I bootup, a dial program (tibs41) shows up. And it blocks my Task Manager!!
Logfile of HijackThis v1.99.1
Scan saved at 上午 01:19:00, on 2005/5/16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\ttplorer.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijeckthis\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {1D97C19C-1611-423C-AABA-D4AB0B6ADDCA} - C:\WINDOWS\System32\elfl.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Scvhost] C:\WINDOWS\System32\ttplorer.exe
O4 - HKLM\..\Run: [sys_Runtt1] C:\Program Files\explorer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - D:\program\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - D:\program\DSLite2\dl_url.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://powdersearch.com/gall.php?url=
O13 - WWW Prefix: http://powdersearch.com/gall.php?url=
O13 - Home Prefix: http://powdersearch.com/gall.php?url=
O13 - Mosaic Prefix: http://powdersearch.com/gall.php?url=
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Painter 7\Help\wwhelp2.cab
O16 - DPF: {04A802AE-A749-5D72-0068-08FA7EB7D67A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0BCC98C6-B289-5661-900F-7D5329C3CE10} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0D7BCB93-4BE5-48A9-7318-08C94C8D158B} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0E7B49E4-1CD1-0592-D039-32E76BDB7821} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {10AFE453-0B21-0328-D236-21A31380FDCD} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {1165D61D-715E-3374-5C7E-2BB52B1BA972} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {22FF6B85-FEB6-4D1B-F07E-131F7670A994} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33B757BC-CBA2-4875-6C3C-607652DD9111} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33C6383A-D4DB-02DA-19A0-45907AA8F60E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {34213680-ACBC-7A91-153E-5273191760AE} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {394A5EA8-E5A7-1AA2-D2F7-20266CE2009A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {3C66CCBA-8777-4E95-E2F6-208C7345F570} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {400508E5-5F36-46CF-609E-67B63B99C6C2} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4261F3F1-E8AF-23D3-4448-1E3C7B299D34} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4456BD54-08EC-52A1-2DD0-54BC451F1074} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {508A645D-DE13-4D25-AA35-6F483FB796C7} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {595979C3-B0FB-6F9C-7B49-41145EB57318} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {5CF84680-14FE-6871-1A90-609557347B14} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {69BD77F2-3929-046E-B5B0-12886EC60AF8} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {79A29694-F967-7952-04E2-4C822C6B7C2D} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7A22408C-D119-748D-9018-2C2C700F680E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7DE2FE50-FBDB-1BBF-7E95-2CC75C5C9146} - http://69.50.182.94/1/rdgTW1953.exe
O18 - Filter: text/html - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O18 - Filter: text/plain - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
My computer is afected with Websiteviewer this afternoon. It creats a folder at C:\Program Files\WebSiteViewer with some 126376.exe and 126376.dlr files inside(maybe that's it's number!!)
Besides,everytime when I bootup, a dial program (tibs41) shows up. And it blocks my Task Manager!!
Logfile of HijackThis v1.99.1
Scan saved at 上午 01:19:00, on 2005/5/16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\ttplorer.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijeckthis\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {1D97C19C-1611-423C-AABA-D4AB0B6ADDCA} - C:\WINDOWS\System32\elfl.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O3 - Toolbar: 收音機(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Scvhost] C:\WINDOWS\System32\ttplorer.exe
O4 - HKLM\..\Run: [sys_Runtt1] C:\Program Files\explorer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - D:\program\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - D:\program\DSLite2\dl_url.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - D:\program\DSLite2\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://powdersearch.com/gall.php?url=
O13 - WWW Prefix: http://powdersearch.com/gall.php?url=
O13 - Home Prefix: http://powdersearch.com/gall.php?url=
O13 - Mosaic Prefix: http://powdersearch.com/gall.php?url=
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Painter 7\Help\wwhelp2.cab
O16 - DPF: {04A802AE-A749-5D72-0068-08FA7EB7D67A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0BCC98C6-B289-5661-900F-7D5329C3CE10} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0D7BCB93-4BE5-48A9-7318-08C94C8D158B} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0E7B49E4-1CD1-0592-D039-32E76BDB7821} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {10AFE453-0B21-0328-D236-21A31380FDCD} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {1165D61D-715E-3374-5C7E-2BB52B1BA972} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {22FF6B85-FEB6-4D1B-F07E-131F7670A994} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33B757BC-CBA2-4875-6C3C-607652DD9111} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33C6383A-D4DB-02DA-19A0-45907AA8F60E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {34213680-ACBC-7A91-153E-5273191760AE} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {394A5EA8-E5A7-1AA2-D2F7-20266CE2009A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {3C66CCBA-8777-4E95-E2F6-208C7345F570} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {400508E5-5F36-46CF-609E-67B63B99C6C2} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4261F3F1-E8AF-23D3-4448-1E3C7B299D34} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4456BD54-08EC-52A1-2DD0-54BC451F1074} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {508A645D-DE13-4D25-AA35-6F483FB796C7} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {595979C3-B0FB-6F9C-7B49-41145EB57318} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {5CF84680-14FE-6871-1A90-609557347B14} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {69BD77F2-3929-046E-B5B0-12886EC60AF8} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {79A29694-F967-7952-04E2-4C822C6B7C2D} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7A22408C-D119-748D-9018-2C2C700F680E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7DE2FE50-FBDB-1BBF-7E95-2CC75C5C9146} - http://69.50.182.94/1/rdgTW1953.exe
O18 - Filter: text/html - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O18 - Filter: text/plain - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
0
Comments
Let's see what we can do for you.
Make sure that you can VIEW ALL HIDDEN FILES.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {1D97C19C-1611-423C-AABA-D4AB0B6ADDCA} - C:\WINDOWS\System32\elfl.dll (file missing)
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [Scvhost] C:\WINDOWS\System32\ttplorer.exe
O4 - HKLM\..\Run: [sys_Runtt1] C:\Program Files\explorer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O13 - DefaultPrefix: http://powdersearch.com/gall.php?url=
O13 - WWW Prefix: http://powdersearch.com/gall.php?url=
O13 - Home Prefix: http://powdersearch.com/gall.php?url=
O13 - Mosaic Prefix: http://powdersearch.com/gall.php?url=
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Painter 7\Help\wwhelp2.cab
O16 - DPF: {04A802AE-A749-5D72-0068-08FA7EB7D67A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0BCC98C6-B289-5661-900F-7D5329C3CE10} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0D7BCB93-4BE5-48A9-7318-08C94C8D158B} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {0E7B49E4-1CD1-0592-D039-32E76BDB7821} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.ntsearch.com/popengine/POP.CHM::/sp.exe
O16 - DPF: {10AFE453-0B21-0328-D236-21A31380FDCD} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {1165D61D-715E-3374-5C7E-2BB52B1BA972} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {22FF6B85-FEB6-4D1B-F07E-131F7670A994} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33B757BC-CBA2-4875-6C3C-607652DD9111} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {33C6383A-D4DB-02DA-19A0-45907AA8F60E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {34213680-ACBC-7A91-153E-5273191760AE} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {394A5EA8-E5A7-1AA2-D2F7-20266CE2009A} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {3C66CCBA-8777-4E95-E2F6-208C7345F570} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {400508E5-5F36-46CF-609E-67B63B99C6C2} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4261F3F1-E8AF-23D3-4448-1E3C7B299D34} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {4456BD54-08EC-52A1-2DD0-54BC451F1074} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {508A645D-DE13-4D25-AA35-6F483FB796C7} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {595979C3-B0FB-6F9C-7B49-41145EB57318} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {5CF84680-14FE-6871-1A90-609557347B14} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {69BD77F2-3929-046E-B5B0-12886EC60AF8} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {79A29694-F967-7952-04E2-4C822C6B7C2D} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7A22408C-D119-748D-9018-2C2C700F680E} - http://69.50.182.94/1/rdgTW1953.exe
O16 - DPF: {7DE2FE50-FBDB-1BBF-7E95-2CC75C5C9146} - http://69.50.182.94/1/rdgTW1953.exe
O18 - Filter: text/html - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
O18 - Filter: text/plain - {41280F63-A249-4BFE-98EA-7BD96C8E4346} - C:\WINDOWS\System32\elfl.dll
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\drexinit.dll
C:\WINDOWS\nem220.dll
C:\WINDOWS\System32\elfl.dll
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\elfl.dll
C:\WINDOWS\System32\ttplorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System\svchost.exe <-- only delete the file in this location
C:\Program Files\explorer.exe <-- only delete the file in this location
C:\Program Files\Internet Optimizer
C:\Program Files\AutoUpdate
Reboot your computer to go back to normal mode.
Please download and install A-Squared. You will have to register with them in order to install the updates, but it's free. Once updated, run a full scan and remove everything that is found.
http://www.majorgeeks.com/download4281.html
Reboot and post a new hijackthis log.