Options
Startpage-EH, CoolWWWSearch.Aff.Winshow, URLSearchHook.Atlpz, Need Help!
this is the same as http://www.short-media.com/forum/showthread.php?t=32222 but when i was doing the hijackthis part it was different and some werent even there.
I used Ad-Aware SE and Spybot S&D.
1. When i get on internet explorer my homepage is About:blank. I have a folder in my Favorites that is a bunch of Websites that try to sell stuff. When i do a google search it pops up with the "Search Text" inserted into the add in BOLD face.
The worse thing is that it blocked my Norton Auto-Protect and ERORED my e-mail scanning.
I also am getting:
"WINDOWS SECRUITY CENTER"< Title-- Message>WARNING: Windows Firewall detected suspiciousnetwork activity on oyur computer. Malicious software codes try to steal your privacy information, such as credit card numbers, eletronic mail accounrs, fininancial data or passwords. {enter} Do you want to learn how to portect your computer? then the Yes OR NO input boxes. Is this legit?
2. have google pop-up blocker. Linkys router firewall, Notron antivirus prof. 2004. I have: CWShredder 2.14, Spybot S&D, Norton, Spyware Doctor, Ad-Aware SE Personal, and Hijackthis 1.99.0.1.
3. Every time i run Spybot S&D the URLSearchHook.Atlpz and CoolWWWseach.AFF.Winshow come up. Also when I run Ad-Aware SE it shows CoolWebSearch rather than CoolWWWSearch.
4.
Logfile of HijackThis v1.99.1
Scan saved at 5:44:15 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ipfa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1FF55FF8-18EB-46CA-A1B0-6EB9E0AC0883} - C:\WINDOWS\sysxv32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C97CB847-28A7-9898-6A69-C9307ABFC8EC} - C:\WINDOWS\system32\d3wh32.dll
O2 - BHO: Class - {D517A1A1-4DA9-C69C-F756-52E2FA227C43} - C:\WINDOWS\sdkhq.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ipfa.exe] C:\WINDOWS\system32\ipfa.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\ippf.exe
O4 - HKLM\..\RunOnce: [mfcxz.exe] C:\WINDOWS\mfcxz.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\iegj.exe
O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\ntmd32.exe
O4 - HKLM\..\RunOnce: [appux32.exe] C:\WINDOWS\system32\appux32.exe
O4 - HKLM\..\RunOnce: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKLM\..\RunOnce: [mshb32.exe] C:\WINDOWS\system32\mshb32.exe
O4 - HKLM\..\RunOnce: [ipme32.exe] C:\WINDOWS\ipme32.exe
O4 - HKLM\..\RunOnce: [appmr32.exe] C:\WINDOWS\appmr32.exe
O4 - HKLM\..\RunOnce: [d3mf32.exe] C:\WINDOWS\d3mf32.exe
O4 - HKLM\..\RunOnce: [ipkf.exe] C:\WINDOWS\ipkf.exe
O4 - HKLM\..\RunOnce: [ipyb32.exe] C:\WINDOWS\ipyb32.exe
O4 - HKLM\..\RunOnce: [appdd32.exe] C:\WINDOWS\appdd32.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\system32\winyj.exe
O4 - HKLM\..\RunOnce: [apijf32.exe] C:\WINDOWS\apijf32.exe
O4 - HKLM\..\RunOnce: [iecl32.exe] C:\WINDOWS\system32\iecl32.exe
O4 - HKLM\..\RunOnce: [iewe.exe] C:\WINDOWS\system32\iewe.exe
O4 - HKLM\..\RunOnce: [sdkby32.exe] C:\WINDOWS\system32\sdkby32.exe
O4 - HKLM\..\RunOnce: [sysqv.exe] C:\WINDOWS\system32\sysqv.exe
O4 - HKLM\..\RunOnce: [javavp32.exe] C:\WINDOWS\javavp32.exe
O4 - HKLM\..\RunOnce: [sdkkm32.exe] C:\WINDOWS\system32\sdkkm32.exe
O4 - HKLM\..\RunOnce: [mfcpg.exe] C:\WINDOWS\system32\mfcpg.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\system32\mfcoi32.exe
O4 - HKLM\..\RunOnce: [ieul.exe] C:\WINDOWS\ieul.exe
O4 - HKLM\..\RunOnce: [sdkta32.exe] C:\WINDOWS\sdkta32.exe
O4 - HKLM\..\RunOnce: [mfcyv32.exe] C:\WINDOWS\mfcyv32.exe
O4 - HKLM\..\RunOnce: [winwk32.exe] C:\WINDOWS\system32\winwk32.exe
O4 - HKLM\..\RunOnce: [javabe.exe] C:\WINDOWS\system32\javabe.exe
O4 - HKLM\..\RunOnce: [netpo.exe] C:\WINDOWS\netpo.exe
O4 - HKLM\..\RunOnce: [ipzc32.exe] C:\WINDOWS\ipzc32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINDOWS\system32\cred32.exe
O4 - HKLM\..\RunOnce: [msyv32.exe] C:\WINDOWS\system32\msyv32.exe
O4 - HKLM\..\RunOnce: [ipdp.exe] C:\WINDOWS\ipdp.exe
O4 - HKLM\..\RunOnce: [d3er32.exe] C:\WINDOWS\system32\d3er32.exe
O4 - HKLM\..\RunOnce: [iemx.exe] C:\WINDOWS\iemx.exe
O4 - HKLM\..\RunOnce: [nethg32.exe] C:\WINDOWS\nethg32.exe
O4 - HKLM\..\RunOnce: [sdkmi.exe] C:\WINDOWS\system32\sdkmi.exe
O4 - HKLM\..\RunOnce: [msej.exe] C:\WINDOWS\system32\msej.exe
O4 - HKLM\..\RunOnce: [ipkm32.exe] C:\WINDOWS\system32\ipkm32.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\apifp32.exe
O4 - HKLM\..\RunOnce: [atloq.exe] C:\WINDOWS\atloq.exe
O4 - HKLM\..\RunOnce: [mscs32.exe] C:\WINDOWS\mscs32.exe
O4 - HKLM\..\RunOnce: [atlcm32.exe] C:\WINDOWS\atlcm32.exe
O4 - HKLM\..\RunOnce: [atlij32.exe] C:\WINDOWS\system32\atlij32.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\system32\msng32.exe
O4 - HKLM\..\RunOnce: [javapi.exe] C:\WINDOWS\javapi.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [apiki32.exe] C:\WINDOWS\system32\apiki32.exe
O4 - HKLM\..\RunOnce: [d3rx.exe] C:\WINDOWS\d3rx.exe
O4 - HKLM\..\RunOnce: [ieqf32.exe] C:\WINDOWS\system32\ieqf32.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [sdksi32.exe] C:\WINDOWS\sdksi32.exe
O4 - HKLM\..\RunOnce: [javaxg32.exe] C:\WINDOWS\javaxg32.exe
O4 - HKLM\..\RunOnce: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\RunOnce: [sdkjo32.exe] C:\WINDOWS\sdkjo32.exe
O4 - HKLM\..\RunOnce: [iesh32.exe] C:\WINDOWS\system32\iesh32.exe
O4 - HKLM\..\RunOnce: [netsp32.exe] C:\WINDOWS\netsp32.exe
O4 - HKLM\..\RunOnce: [msva32.exe] C:\WINDOWS\system32\msva32.exe
O4 - HKLM\..\RunOnce: [winaf.exe] C:\WINDOWS\winaf.exe
O4 - HKLM\..\RunOnce: [iebf32.exe] C:\WINDOWS\system32\iebf32.exe
O4 - HKLM\..\RunOnce: [iepc.exe] C:\WINDOWS\iepc.exe
O4 - HKLM\..\RunOnce: [ievy.exe] C:\WINDOWS\system32\ievy.exe
O4 - HKLM\..\RunOnce: [ntjv.exe] C:\WINDOWS\ntjv.exe
O4 - HKLM\..\RunOnce: [d3lv.exe] C:\WINDOWS\d3lv.exe
O4 - HKLM\..\RunOnce: [sysdg.exe] C:\WINDOWS\sysdg.exe
O4 - HKLM\..\RunOnce: [ipyq32.exe] C:\WINDOWS\system32\ipyq32.exe
O4 - HKLM\..\RunOnce: [sysyy.exe] C:\WINDOWS\sysyy.exe
O4 - HKLM\..\RunOnce: [d3bk.exe] C:\WINDOWS\system32\d3bk.exe
O4 - HKLM\..\RunOnce: [apprz32.exe] C:\WINDOWS\apprz32.exe
O4 - HKLM\..\RunOnce: [apipg32.exe] C:\WINDOWS\system32\apipg32.exe
O4 - HKLM\..\RunOnce: [atlkk.exe] C:\WINDOWS\system32\atlkk.exe
O4 - HKLM\..\RunOnce: [ieja32.exe] C:\WINDOWS\system32\ieja32.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\javazp32.exe
O4 - HKLM\..\RunOnce: [crhx.exe] C:\WINDOWS\crhx.exe
O4 - HKLM\..\RunOnce: [sdkix.exe] C:\WINDOWS\system32\sdkix.exe
O4 - HKLM\..\RunOnce: [sysxv32.exe] C:\WINDOWS\sysxv32.exe
O4 - HKLM\..\RunOnce: [appwc32.exe] C:\WINDOWS\appwc32.exe
O4 - HKLM\..\RunOnce: [winrg.exe] C:\WINDOWS\winrg.exe
O4 - HKLM\..\RunOnce: [crqv32.exe] C:\WINDOWS\crqv32.exe
O4 - HKLM\..\RunOnce: [ipol.exe] C:\WINDOWS\system32\ipol.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\system32\addnb32.exe
O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\msdq32.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [atlnz32.exe] C:\WINDOWS\system32\atlnz32.exe
O4 - HKLM\..\RunOnce: [crvz.exe] C:\WINDOWS\system32\crvz.exe
O4 - HKLM\..\RunOnce: [ntql.exe] C:\WINDOWS\system32\ntql.exe
O4 - HKLM\..\RunOnce: [winlw.exe] C:\WINDOWS\system32\winlw.exe
O4 - HKLM\..\RunOnce: [msad.exe] C:\WINDOWS\msad.exe
O4 - HKLM\..\RunOnce: [winnf32.exe] C:\WINDOWS\system32\winnf32.exe
O4 - HKLM\..\RunOnce: [netiz32.exe] C:\WINDOWS\netiz32.exe
O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
O4 - HKLM\..\RunOnce: [ntwe32.exe] C:\WINDOWS\ntwe32.exe
O4 - HKLM\..\RunOnce: [ipkt.exe] C:\WINDOWS\ipkt.exe
O4 - HKLM\..\RunOnce: [ntqp.exe] C:\WINDOWS\ntqp.exe
O4 - HKLM\..\RunOnce: [addwu.exe] C:\WINDOWS\system32\addwu.exe
O4 - HKLM\..\RunOnce: [sdkqf.exe] C:\WINDOWS\sdkqf.exe
O4 - HKLM\..\RunOnce: [netfm.exe] C:\WINDOWS\netfm.exe
O4 - HKLM\..\RunOnce: [addqf32.exe] C:\WINDOWS\system32\addqf32.exe
O4 - HKLM\..\RunOnce: [atljy.exe] C:\WINDOWS\system32\atljy.exe
O4 - HKLM\..\RunOnce: [ipnc.exe] C:\WINDOWS\ipnc.exe
O4 - HKLM\..\RunOnce: [cryv32.exe] C:\WINDOWS\system32\cryv32.exe
O4 - HKLM\..\RunOnce: [ieod.exe] C:\WINDOWS\system32\ieod.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\appsh32.exe
O4 - HKLM\..\RunOnce: [winbh.exe] C:\WINDOWS\system32\winbh.exe
O4 - HKLM\..\RunOnce: [winhe32.exe] C:\WINDOWS\winhe32.exe
O4 - HKLM\..\RunOnce: [winvb32.exe] C:\WINDOWS\system32\winvb32.exe
O4 - HKLM\..\RunOnce: [javaax32.exe] C:\WINDOWS\system32\javaax32.exe
O4 - HKLM\..\RunOnce: [addvj32.exe] C:\WINDOWS\system32\addvj32.exe
O4 - HKLM\..\RunOnce: [ienp.exe] C:\WINDOWS\ienp.exe
O4 - HKLM\..\RunOnce: [mfcde32.exe] C:\WINDOWS\system32\mfcde32.exe
O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
O4 - HKLM\..\RunOnce: [crxq32.exe] C:\WINDOWS\crxq32.exe
O4 - HKLM\..\RunOnce: [sdkhq.exe] C:\WINDOWS\sdkhq.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [sdkbk32.exe] C:\WINDOWS\system32\sdkbk32.exe
O4 - HKLM\..\RunOnce: [atlgg32.exe] C:\WINDOWS\atlgg32.exe
O4 - HKLM\..\RunOnce: [javabs32.exe] C:\WINDOWS\system32\javabs32.exe
O4 - HKLM\..\RunOnce: [msnw.exe] C:\WINDOWS\msnw.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\system32\crow32.exe
O4 - HKLM\..\RunOnce: [crdt32.exe] C:\WINDOWS\crdt32.exe
O4 - HKLM\..\RunOnce: [apihx.exe] C:\WINDOWS\system32\apihx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I used Ad-Aware SE and Spybot S&D.
1. When i get on internet explorer my homepage is About:blank. I have a folder in my Favorites that is a bunch of Websites that try to sell stuff. When i do a google search it pops up with the "Search Text" inserted into the add in BOLD face.
The worse thing is that it blocked my Norton Auto-Protect and ERORED my e-mail scanning.
I also am getting:
"WINDOWS SECRUITY CENTER"< Title-- Message>WARNING: Windows Firewall detected suspiciousnetwork activity on oyur computer. Malicious software codes try to steal your privacy information, such as credit card numbers, eletronic mail accounrs, fininancial data or passwords. {enter} Do you want to learn how to portect your computer? then the Yes OR NO input boxes. Is this legit?
2. have google pop-up blocker. Linkys router firewall, Notron antivirus prof. 2004. I have: CWShredder 2.14, Spybot S&D, Norton, Spyware Doctor, Ad-Aware SE Personal, and Hijackthis 1.99.0.1.
3. Every time i run Spybot S&D the URLSearchHook.Atlpz and CoolWWWseach.AFF.Winshow come up. Also when I run Ad-Aware SE it shows CoolWebSearch rather than CoolWWWSearch.
4.
Logfile of HijackThis v1.99.1
Scan saved at 5:44:15 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ipfa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1FF55FF8-18EB-46CA-A1B0-6EB9E0AC0883} - C:\WINDOWS\sysxv32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C97CB847-28A7-9898-6A69-C9307ABFC8EC} - C:\WINDOWS\system32\d3wh32.dll
O2 - BHO: Class - {D517A1A1-4DA9-C69C-F756-52E2FA227C43} - C:\WINDOWS\sdkhq.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ipfa.exe] C:\WINDOWS\system32\ipfa.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\ippf.exe
O4 - HKLM\..\RunOnce: [mfcxz.exe] C:\WINDOWS\mfcxz.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\iegj.exe
O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\ntmd32.exe
O4 - HKLM\..\RunOnce: [appux32.exe] C:\WINDOWS\system32\appux32.exe
O4 - HKLM\..\RunOnce: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKLM\..\RunOnce: [mshb32.exe] C:\WINDOWS\system32\mshb32.exe
O4 - HKLM\..\RunOnce: [ipme32.exe] C:\WINDOWS\ipme32.exe
O4 - HKLM\..\RunOnce: [appmr32.exe] C:\WINDOWS\appmr32.exe
O4 - HKLM\..\RunOnce: [d3mf32.exe] C:\WINDOWS\d3mf32.exe
O4 - HKLM\..\RunOnce: [ipkf.exe] C:\WINDOWS\ipkf.exe
O4 - HKLM\..\RunOnce: [ipyb32.exe] C:\WINDOWS\ipyb32.exe
O4 - HKLM\..\RunOnce: [appdd32.exe] C:\WINDOWS\appdd32.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\system32\winyj.exe
O4 - HKLM\..\RunOnce: [apijf32.exe] C:\WINDOWS\apijf32.exe
O4 - HKLM\..\RunOnce: [iecl32.exe] C:\WINDOWS\system32\iecl32.exe
O4 - HKLM\..\RunOnce: [iewe.exe] C:\WINDOWS\system32\iewe.exe
O4 - HKLM\..\RunOnce: [sdkby32.exe] C:\WINDOWS\system32\sdkby32.exe
O4 - HKLM\..\RunOnce: [sysqv.exe] C:\WINDOWS\system32\sysqv.exe
O4 - HKLM\..\RunOnce: [javavp32.exe] C:\WINDOWS\javavp32.exe
O4 - HKLM\..\RunOnce: [sdkkm32.exe] C:\WINDOWS\system32\sdkkm32.exe
O4 - HKLM\..\RunOnce: [mfcpg.exe] C:\WINDOWS\system32\mfcpg.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\system32\mfcoi32.exe
O4 - HKLM\..\RunOnce: [ieul.exe] C:\WINDOWS\ieul.exe
O4 - HKLM\..\RunOnce: [sdkta32.exe] C:\WINDOWS\sdkta32.exe
O4 - HKLM\..\RunOnce: [mfcyv32.exe] C:\WINDOWS\mfcyv32.exe
O4 - HKLM\..\RunOnce: [winwk32.exe] C:\WINDOWS\system32\winwk32.exe
O4 - HKLM\..\RunOnce: [javabe.exe] C:\WINDOWS\system32\javabe.exe
O4 - HKLM\..\RunOnce: [netpo.exe] C:\WINDOWS\netpo.exe
O4 - HKLM\..\RunOnce: [ipzc32.exe] C:\WINDOWS\ipzc32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINDOWS\system32\cred32.exe
O4 - HKLM\..\RunOnce: [msyv32.exe] C:\WINDOWS\system32\msyv32.exe
O4 - HKLM\..\RunOnce: [ipdp.exe] C:\WINDOWS\ipdp.exe
O4 - HKLM\..\RunOnce: [d3er32.exe] C:\WINDOWS\system32\d3er32.exe
O4 - HKLM\..\RunOnce: [iemx.exe] C:\WINDOWS\iemx.exe
O4 - HKLM\..\RunOnce: [nethg32.exe] C:\WINDOWS\nethg32.exe
O4 - HKLM\..\RunOnce: [sdkmi.exe] C:\WINDOWS\system32\sdkmi.exe
O4 - HKLM\..\RunOnce: [msej.exe] C:\WINDOWS\system32\msej.exe
O4 - HKLM\..\RunOnce: [ipkm32.exe] C:\WINDOWS\system32\ipkm32.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\apifp32.exe
O4 - HKLM\..\RunOnce: [atloq.exe] C:\WINDOWS\atloq.exe
O4 - HKLM\..\RunOnce: [mscs32.exe] C:\WINDOWS\mscs32.exe
O4 - HKLM\..\RunOnce: [atlcm32.exe] C:\WINDOWS\atlcm32.exe
O4 - HKLM\..\RunOnce: [atlij32.exe] C:\WINDOWS\system32\atlij32.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\system32\msng32.exe
O4 - HKLM\..\RunOnce: [javapi.exe] C:\WINDOWS\javapi.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [apiki32.exe] C:\WINDOWS\system32\apiki32.exe
O4 - HKLM\..\RunOnce: [d3rx.exe] C:\WINDOWS\d3rx.exe
O4 - HKLM\..\RunOnce: [ieqf32.exe] C:\WINDOWS\system32\ieqf32.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [sdksi32.exe] C:\WINDOWS\sdksi32.exe
O4 - HKLM\..\RunOnce: [javaxg32.exe] C:\WINDOWS\javaxg32.exe
O4 - HKLM\..\RunOnce: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\RunOnce: [sdkjo32.exe] C:\WINDOWS\sdkjo32.exe
O4 - HKLM\..\RunOnce: [iesh32.exe] C:\WINDOWS\system32\iesh32.exe
O4 - HKLM\..\RunOnce: [netsp32.exe] C:\WINDOWS\netsp32.exe
O4 - HKLM\..\RunOnce: [msva32.exe] C:\WINDOWS\system32\msva32.exe
O4 - HKLM\..\RunOnce: [winaf.exe] C:\WINDOWS\winaf.exe
O4 - HKLM\..\RunOnce: [iebf32.exe] C:\WINDOWS\system32\iebf32.exe
O4 - HKLM\..\RunOnce: [iepc.exe] C:\WINDOWS\iepc.exe
O4 - HKLM\..\RunOnce: [ievy.exe] C:\WINDOWS\system32\ievy.exe
O4 - HKLM\..\RunOnce: [ntjv.exe] C:\WINDOWS\ntjv.exe
O4 - HKLM\..\RunOnce: [d3lv.exe] C:\WINDOWS\d3lv.exe
O4 - HKLM\..\RunOnce: [sysdg.exe] C:\WINDOWS\sysdg.exe
O4 - HKLM\..\RunOnce: [ipyq32.exe] C:\WINDOWS\system32\ipyq32.exe
O4 - HKLM\..\RunOnce: [sysyy.exe] C:\WINDOWS\sysyy.exe
O4 - HKLM\..\RunOnce: [d3bk.exe] C:\WINDOWS\system32\d3bk.exe
O4 - HKLM\..\RunOnce: [apprz32.exe] C:\WINDOWS\apprz32.exe
O4 - HKLM\..\RunOnce: [apipg32.exe] C:\WINDOWS\system32\apipg32.exe
O4 - HKLM\..\RunOnce: [atlkk.exe] C:\WINDOWS\system32\atlkk.exe
O4 - HKLM\..\RunOnce: [ieja32.exe] C:\WINDOWS\system32\ieja32.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\javazp32.exe
O4 - HKLM\..\RunOnce: [crhx.exe] C:\WINDOWS\crhx.exe
O4 - HKLM\..\RunOnce: [sdkix.exe] C:\WINDOWS\system32\sdkix.exe
O4 - HKLM\..\RunOnce: [sysxv32.exe] C:\WINDOWS\sysxv32.exe
O4 - HKLM\..\RunOnce: [appwc32.exe] C:\WINDOWS\appwc32.exe
O4 - HKLM\..\RunOnce: [winrg.exe] C:\WINDOWS\winrg.exe
O4 - HKLM\..\RunOnce: [crqv32.exe] C:\WINDOWS\crqv32.exe
O4 - HKLM\..\RunOnce: [ipol.exe] C:\WINDOWS\system32\ipol.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\system32\addnb32.exe
O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\msdq32.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [atlnz32.exe] C:\WINDOWS\system32\atlnz32.exe
O4 - HKLM\..\RunOnce: [crvz.exe] C:\WINDOWS\system32\crvz.exe
O4 - HKLM\..\RunOnce: [ntql.exe] C:\WINDOWS\system32\ntql.exe
O4 - HKLM\..\RunOnce: [winlw.exe] C:\WINDOWS\system32\winlw.exe
O4 - HKLM\..\RunOnce: [msad.exe] C:\WINDOWS\msad.exe
O4 - HKLM\..\RunOnce: [winnf32.exe] C:\WINDOWS\system32\winnf32.exe
O4 - HKLM\..\RunOnce: [netiz32.exe] C:\WINDOWS\netiz32.exe
O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
O4 - HKLM\..\RunOnce: [ntwe32.exe] C:\WINDOWS\ntwe32.exe
O4 - HKLM\..\RunOnce: [ipkt.exe] C:\WINDOWS\ipkt.exe
O4 - HKLM\..\RunOnce: [ntqp.exe] C:\WINDOWS\ntqp.exe
O4 - HKLM\..\RunOnce: [addwu.exe] C:\WINDOWS\system32\addwu.exe
O4 - HKLM\..\RunOnce: [sdkqf.exe] C:\WINDOWS\sdkqf.exe
O4 - HKLM\..\RunOnce: [netfm.exe] C:\WINDOWS\netfm.exe
O4 - HKLM\..\RunOnce: [addqf32.exe] C:\WINDOWS\system32\addqf32.exe
O4 - HKLM\..\RunOnce: [atljy.exe] C:\WINDOWS\system32\atljy.exe
O4 - HKLM\..\RunOnce: [ipnc.exe] C:\WINDOWS\ipnc.exe
O4 - HKLM\..\RunOnce: [cryv32.exe] C:\WINDOWS\system32\cryv32.exe
O4 - HKLM\..\RunOnce: [ieod.exe] C:\WINDOWS\system32\ieod.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\appsh32.exe
O4 - HKLM\..\RunOnce: [winbh.exe] C:\WINDOWS\system32\winbh.exe
O4 - HKLM\..\RunOnce: [winhe32.exe] C:\WINDOWS\winhe32.exe
O4 - HKLM\..\RunOnce: [winvb32.exe] C:\WINDOWS\system32\winvb32.exe
O4 - HKLM\..\RunOnce: [javaax32.exe] C:\WINDOWS\system32\javaax32.exe
O4 - HKLM\..\RunOnce: [addvj32.exe] C:\WINDOWS\system32\addvj32.exe
O4 - HKLM\..\RunOnce: [ienp.exe] C:\WINDOWS\ienp.exe
O4 - HKLM\..\RunOnce: [mfcde32.exe] C:\WINDOWS\system32\mfcde32.exe
O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
O4 - HKLM\..\RunOnce: [crxq32.exe] C:\WINDOWS\crxq32.exe
O4 - HKLM\..\RunOnce: [sdkhq.exe] C:\WINDOWS\sdkhq.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [sdkbk32.exe] C:\WINDOWS\system32\sdkbk32.exe
O4 - HKLM\..\RunOnce: [atlgg32.exe] C:\WINDOWS\atlgg32.exe
O4 - HKLM\..\RunOnce: [javabs32.exe] C:\WINDOWS\system32\javabs32.exe
O4 - HKLM\..\RunOnce: [msnw.exe] C:\WINDOWS\msnw.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\system32\crow32.exe
O4 - HKLM\..\RunOnce: [crdt32.exe] C:\WINDOWS\crdt32.exe
O4 - HKLM\..\RunOnce: [apihx.exe] C:\WINDOWS\system32\apihx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
0
Comments
Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xedbn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1FF55FF8-18EB-46CA-A1B0-6EB9E0AC0883} - C:\WINDOWS\sysxv32.dll
O2 - BHO: Class - {C97CB847-28A7-9898-6A69-C9307ABFC8EC} - C:\WINDOWS\system32\d3wh32.dll
O2 - BHO: Class - {D517A1A1-4DA9-C69C-F756-52E2FA227C43} - C:\WINDOWS\sdkhq.dll
O4 - HKLM\..\Run: [ipfa.exe] C:\WINDOWS\system32\ipfa.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\ippf.exe
O4 - HKLM\..\RunOnce: [mfcxz.exe] C:\WINDOWS\mfcxz.exe
O4 - HKLM\..\RunOnce: [iegj.exe] C:\WINDOWS\iegj.exe
O4 - HKLM\..\RunOnce: [ntmd32.exe] C:\WINDOWS\ntmd32.exe
O4 - HKLM\..\RunOnce: [appux32.exe] C:\WINDOWS\system32\appux32.exe
O4 - HKLM\..\RunOnce: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKLM\..\RunOnce: [mshb32.exe] C:\WINDOWS\system32\mshb32.exe
O4 - HKLM\..\RunOnce: [ipme32.exe] C:\WINDOWS\ipme32.exe
O4 - HKLM\..\RunOnce: [appmr32.exe] C:\WINDOWS\appmr32.exe
O4 - HKLM\..\RunOnce: [d3mf32.exe] C:\WINDOWS\d3mf32.exe
O4 - HKLM\..\RunOnce: [ipkf.exe] C:\WINDOWS\ipkf.exe
O4 - HKLM\..\RunOnce: [ipyb32.exe] C:\WINDOWS\ipyb32.exe
O4 - HKLM\..\RunOnce: [appdd32.exe] C:\WINDOWS\appdd32.exe
O4 - HKLM\..\RunOnce: [winyj.exe] C:\WINDOWS\system32\winyj.exe
O4 - HKLM\..\RunOnce: [apijf32.exe] C:\WINDOWS\apijf32.exe
O4 - HKLM\..\RunOnce: [iecl32.exe] C:\WINDOWS\system32\iecl32.exe
O4 - HKLM\..\RunOnce: [iewe.exe] C:\WINDOWS\system32\iewe.exe
O4 - HKLM\..\RunOnce: [sdkby32.exe] C:\WINDOWS\system32\sdkby32.exe
O4 - HKLM\..\RunOnce: [sysqv.exe] C:\WINDOWS\system32\sysqv.exe
O4 - HKLM\..\RunOnce: [javavp32.exe] C:\WINDOWS\javavp32.exe
O4 - HKLM\..\RunOnce: [sdkkm32.exe] C:\WINDOWS\system32\sdkkm32.exe
O4 - HKLM\..\RunOnce: [mfcpg.exe] C:\WINDOWS\system32\mfcpg.exe
O4 - HKLM\..\RunOnce: [mfcoi32.exe] C:\WINDOWS\system32\mfcoi32.exe
O4 - HKLM\..\RunOnce: [ieul.exe] C:\WINDOWS\ieul.exe
O4 - HKLM\..\RunOnce: [sdkta32.exe] C:\WINDOWS\sdkta32.exe
O4 - HKLM\..\RunOnce: [mfcyv32.exe] C:\WINDOWS\mfcyv32.exe
O4 - HKLM\..\RunOnce: [winwk32.exe] C:\WINDOWS\system32\winwk32.exe
O4 - HKLM\..\RunOnce: [javabe.exe] C:\WINDOWS\system32\javabe.exe
O4 - HKLM\..\RunOnce: [netpo.exe] C:\WINDOWS\netpo.exe
O4 - HKLM\..\RunOnce: [ipzc32.exe] C:\WINDOWS\ipzc32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINDOWS\system32\cred32.exe
O4 - HKLM\..\RunOnce: [msyv32.exe] C:\WINDOWS\system32\msyv32.exe
O4 - HKLM\..\RunOnce: [ipdp.exe] C:\WINDOWS\ipdp.exe
O4 - HKLM\..\RunOnce: [d3er32.exe] C:\WINDOWS\system32\d3er32.exe
O4 - HKLM\..\RunOnce: [iemx.exe] C:\WINDOWS\iemx.exe
O4 - HKLM\..\RunOnce: [nethg32.exe] C:\WINDOWS\nethg32.exe
O4 - HKLM\..\RunOnce: [sdkmi.exe] C:\WINDOWS\system32\sdkmi.exe
O4 - HKLM\..\RunOnce: [msej.exe] C:\WINDOWS\system32\msej.exe
O4 - HKLM\..\RunOnce: [ipkm32.exe] C:\WINDOWS\system32\ipkm32.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\apifp32.exe
O4 - HKLM\..\RunOnce: [atloq.exe] C:\WINDOWS\atloq.exe
O4 - HKLM\..\RunOnce: [mscs32.exe] C:\WINDOWS\mscs32.exe
O4 - HKLM\..\RunOnce: [atlcm32.exe] C:\WINDOWS\atlcm32.exe
O4 - HKLM\..\RunOnce: [atlij32.exe] C:\WINDOWS\system32\atlij32.exe
O4 - HKLM\..\RunOnce: [msng32.exe] C:\WINDOWS\system32\msng32.exe
O4 - HKLM\..\RunOnce: [javapi.exe] C:\WINDOWS\javapi.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [apiki32.exe] C:\WINDOWS\system32\apiki32.exe
O4 - HKLM\..\RunOnce: [d3rx.exe] C:\WINDOWS\d3rx.exe
O4 - HKLM\..\RunOnce: [ieqf32.exe] C:\WINDOWS\system32\ieqf32.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [sdksi32.exe] C:\WINDOWS\sdksi32.exe
O4 - HKLM\..\RunOnce: [javaxg32.exe] C:\WINDOWS\javaxg32.exe
O4 - HKLM\..\RunOnce: [apigz32.exe] C:\WINDOWS\system32\apigz32.exe
O4 - HKLM\..\RunOnce: [sdkjo32.exe] C:\WINDOWS\sdkjo32.exe
O4 - HKLM\..\RunOnce: [iesh32.exe] C:\WINDOWS\system32\iesh32.exe
O4 - HKLM\..\RunOnce: [netsp32.exe] C:\WINDOWS\netsp32.exe
O4 - HKLM\..\RunOnce: [msva32.exe] C:\WINDOWS\system32\msva32.exe
O4 - HKLM\..\RunOnce: [winaf.exe] C:\WINDOWS\winaf.exe
O4 - HKLM\..\RunOnce: [iebf32.exe] C:\WINDOWS\system32\iebf32.exe
O4 - HKLM\..\RunOnce: [iepc.exe] C:\WINDOWS\iepc.exe
O4 - HKLM\..\RunOnce: [ievy.exe] C:\WINDOWS\system32\ievy.exe
O4 - HKLM\..\RunOnce: [ntjv.exe] C:\WINDOWS\ntjv.exe
O4 - HKLM\..\RunOnce: [d3lv.exe] C:\WINDOWS\d3lv.exe
O4 - HKLM\..\RunOnce: [sysdg.exe] C:\WINDOWS\sysdg.exe
O4 - HKLM\..\RunOnce: [ipyq32.exe] C:\WINDOWS\system32\ipyq32.exe
O4 - HKLM\..\RunOnce: [sysyy.exe] C:\WINDOWS\sysyy.exe
O4 - HKLM\..\RunOnce: [d3bk.exe] C:\WINDOWS\system32\d3bk.exe
O4 - HKLM\..\RunOnce: [apprz32.exe] C:\WINDOWS\apprz32.exe
O4 - HKLM\..\RunOnce: [apipg32.exe] C:\WINDOWS\system32\apipg32.exe
O4 - HKLM\..\RunOnce: [atlkk.exe] C:\WINDOWS\system32\atlkk.exe
O4 - HKLM\..\RunOnce: [ieja32.exe] C:\WINDOWS\system32\ieja32.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\javazp32.exe
O4 - HKLM\..\RunOnce: [crhx.exe] C:\WINDOWS\crhx.exe
O4 - HKLM\..\RunOnce: [sdkix.exe] C:\WINDOWS\system32\sdkix.exe
O4 - HKLM\..\RunOnce: [sysxv32.exe] C:\WINDOWS\sysxv32.exe
O4 - HKLM\..\RunOnce: [appwc32.exe] C:\WINDOWS\appwc32.exe
O4 - HKLM\..\RunOnce: [winrg.exe] C:\WINDOWS\winrg.exe
O4 - HKLM\..\RunOnce: [crqv32.exe] C:\WINDOWS\crqv32.exe
O4 - HKLM\..\RunOnce: [ipol.exe] C:\WINDOWS\system32\ipol.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\system32\addnb32.exe
O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\msdq32.exe
O4 - HKLM\..\RunOnce: [iedy32.exe] C:\WINDOWS\iedy32.exe
O4 - HKLM\..\RunOnce: [atlnz32.exe] C:\WINDOWS\system32\atlnz32.exe
O4 - HKLM\..\RunOnce: [crvz.exe] C:\WINDOWS\system32\crvz.exe
O4 - HKLM\..\RunOnce: [ntql.exe] C:\WINDOWS\system32\ntql.exe
O4 - HKLM\..\RunOnce: [winlw.exe] C:\WINDOWS\system32\winlw.exe
O4 - HKLM\..\RunOnce: [msad.exe] C:\WINDOWS\msad.exe
O4 - HKLM\..\RunOnce: [winnf32.exe] C:\WINDOWS\system32\winnf32.exe
O4 - HKLM\..\RunOnce: [netiz32.exe] C:\WINDOWS\netiz32.exe
O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
O4 - HKLM\..\RunOnce: [ntwe32.exe] C:\WINDOWS\ntwe32.exe
O4 - HKLM\..\RunOnce: [ipkt.exe] C:\WINDOWS\ipkt.exe
O4 - HKLM\..\RunOnce: [ntqp.exe] C:\WINDOWS\ntqp.exe
O4 - HKLM\..\RunOnce: [addwu.exe] C:\WINDOWS\system32\addwu.exe
O4 - HKLM\..\RunOnce: [sdkqf.exe] C:\WINDOWS\sdkqf.exe
O4 - HKLM\..\RunOnce: [netfm.exe] C:\WINDOWS\netfm.exe
O4 - HKLM\..\RunOnce: [addqf32.exe] C:\WINDOWS\system32\addqf32.exe
O4 - HKLM\..\RunOnce: [atljy.exe] C:\WINDOWS\system32\atljy.exe
O4 - HKLM\..\RunOnce: [ipnc.exe] C:\WINDOWS\ipnc.exe
O4 - HKLM\..\RunOnce: [cryv32.exe] C:\WINDOWS\system32\cryv32.exe
O4 - HKLM\..\RunOnce: [ieod.exe] C:\WINDOWS\system32\ieod.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\appsh32.exe
O4 - HKLM\..\RunOnce: [winbh.exe] C:\WINDOWS\system32\winbh.exe
O4 - HKLM\..\RunOnce: [winhe32.exe] C:\WINDOWS\winhe32.exe
O4 - HKLM\..\RunOnce: [winvb32.exe] C:\WINDOWS\system32\winvb32.exe
O4 - HKLM\..\RunOnce: [javaax32.exe] C:\WINDOWS\system32\javaax32.exe
O4 - HKLM\..\RunOnce: [addvj32.exe] C:\WINDOWS\system32\addvj32.exe
O4 - HKLM\..\RunOnce: [ienp.exe] C:\WINDOWS\ienp.exe
O4 - HKLM\..\RunOnce: [mfcde32.exe] C:\WINDOWS\system32\mfcde32.exe
O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
O4 - HKLM\..\RunOnce: [crxq32.exe] C:\WINDOWS\crxq32.exe
O4 - HKLM\..\RunOnce: [sdkhq.exe] C:\WINDOWS\sdkhq.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\sdkmn32.exe
O4 - HKLM\..\RunOnce: [sdkbk32.exe] C:\WINDOWS\system32\sdkbk32.exe
O4 - HKLM\..\RunOnce: [atlgg32.exe] C:\WINDOWS\atlgg32.exe
O4 - HKLM\..\RunOnce: [javabs32.exe] C:\WINDOWS\system32\javabs32.exe
O4 - HKLM\..\RunOnce: [msnw.exe] C:\WINDOWS\msnw.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\system32\crow32.exe
O4 - HKLM\..\RunOnce: [crdt32.exe] C:\WINDOWS\crdt32.exe
O4 - HKLM\..\RunOnce: [apihx.exe] C:\WINDOWS\system32\apihx.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
Step 7
Reboot your computer into SAFE MODE
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\ippf.exe
C:\WINDOWS\system32\xedbn.dll
C:\WINDOWS\sysxv32.dll
C:\WINDOWS\system32\d3wh32.dll
C:\WINDOWS\sdkhq.dll
C:\WINDOWS\system32\ipfa.exe
C:\WINDOWS\ippf.exe
C:\WINDOWS\mfcxz.exe
C:\WINDOWS\iegj.exe
C:\WINDOWS\ntmd32.exe
C:\WINDOWS\system32\appux32.exe
C:\WINDOWS\windx.exe
C:\WINDOWS\system32\mshb32.exe
C:\WINDOWS\ipme32.exe
C:\WINDOWS\appmr32.exe
C:\WINDOWS\d3mf32.exe
C:\WINDOWS\ipkf.exe
C:\WINDOWS\ipyb32.exe
C:\WINDOWS\appdd32.exe
C:\WINDOWS\system32\winyj.exe
C:\WINDOWS\apijf32.exe
C:\WINDOWS\system32\iecl32.exe
C:\WINDOWS\system32\iewe.exe
C:\WINDOWS\system32\sdkby32.exe
C:\WINDOWS\system32\sysqv.exe
C:\WINDOWS\javavp32.exe
C:\WINDOWS\system32\sdkkm32.exe
C:\WINDOWS\system32\mfcpg.exe
C:\WINDOWS\system32\mfcoi32.exe
C:\WINDOWS\ieul.exe
C:\WINDOWS\sdkta32.exe
C:\WINDOWS\mfcyv32.exe
C:\WINDOWS\system32\winwk32.exe
C:\WINDOWS\system32\javabe.exe
C:\WINDOWS\netpo.exe
C:\WINDOWS\ipzc32.exe
C:\WINDOWS\system32\cred32.exe
C:\WINDOWS\system32\msyv32.exe
C:\WINDOWS\ipdp.exe
C:\WINDOWS\system32\d3er32.exe
C:\WINDOWS\iemx.exe
C:\WINDOWS\nethg32.exe
C:\WINDOWS\system32\sdkmi.exe
C:\WINDOWS\system32\msej.exe
C:\WINDOWS\system32\ipkm32.exe
C:\WINDOWS\apifp32.exe
C:\WINDOWS\atloq.exe
C:\WINDOWS\mscs32.exe
C:\WINDOWS\atlcm32.exe
C:\WINDOWS\system32\atlij32.exe
C:\WINDOWS\system32\msng32.exe
C:\WINDOWS\javapi.exe
C:\WINDOWS\system32\crlb.exe
C:\WINDOWS\system32\apiki32.exe
C:\WINDOWS\d3rx.exe
C:\WINDOWS\system32\ieqf32.exe
C:\WINDOWS\ntjy32.exe
C:\WINDOWS\sdksi32.exe
C:\WINDOWS\javaxg32.exe
C:\WINDOWS\system32\apigz32.exe
C:\WINDOWS\sdkjo32.exe
C:\WINDOWS\system32\iesh32.exe
C:\WINDOWS\netsp32.exe
C:\WINDOWS\system32\msva32.exe
C:\WINDOWS\winaf.exe
C:\WINDOWS\system32\iebf32.exe
C:\WINDOWS\iepc.exe
C:\WINDOWS\system32\ievy.exe
C:\WINDOWS\ntjv.exe
C:\WINDOWS\d3lv.exe
C:\WINDOWS\sysdg.exe
C:\WINDOWS\system32\ipyq32.exe
C:\WINDOWS\sysyy.exe
C:\WINDOWS\system32\d3bk.exe
C:\WINDOWS\apprz32.exe
C:\WINDOWS\system32\apipg32.exe
C:\WINDOWS\system32\atlkk.exe
C:\WINDOWS\system32\ieja32.exe
C:\WINDOWS\javazp32.exe
C:\WINDOWS\crhx.exe
C:\WINDOWS\system32\sdkix.exe
C:\WINDOWS\sysxv32.exe
C:\WINDOWS\appwc32.exe
C:\WINDOWS\winrg.exe
C:\WINDOWS\crqv32.exe
C:\WINDOWS\system32\ipol.exe
C:\WINDOWS\system32\addnb32.exe
C:\WINDOWS\msdq32.exe
C:\WINDOWS\iedy32.exe
C:\WINDOWS\system32\atlnz32.exe
C:\WINDOWS\system32\crvz.exe
C:\WINDOWS\system32\ntql.exe
C:\WINDOWS\system32\winlw.exe
C:\WINDOWS\msad.exe
C:\WINDOWS\system32\winnf32.exe
C:\WINDOWS\netiz32.exe
C:\WINDOWS\sdknv.exe
C:\WINDOWS\ntwe32.exe
C:\WINDOWS\ipkt.exe
C:\WINDOWS\ntqp.exe
C:\WINDOWS\system32\addwu.exe
C:\WINDOWS\sdkqf.exe
C:\WINDOWS\netfm.exe
C:\WINDOWS\system32\addqf32.exe
C:\WINDOWS\system32\atljy.exe
C:\WINDOWS\ipnc.exe
C:\WINDOWS\system32\cryv32.exe
C:\WINDOWS\system32\ieod.exe
C:\WINDOWS\appsh32.exe
C:\WINDOWS\system32\winbh.exe
C:\WINDOWS\winhe32.exe
C:\WINDOWS\system32\winvb32.exe
C:\WINDOWS\system32\javaax32.exe
C:\WINDOWS\system32\addvj32.exe
C:\WINDOWS\ienp.exe
C:\WINDOWS\system32\mfcde32.exe
C:\WINDOWS\iptm.exe
C:\WINDOWS\crxq32.exe
C:\WINDOWS\sdkhq.exe
C:\WINDOWS\sdkmn32.exe
C:\WINDOWS\system32\sdkbk32.exe
C:\WINDOWS\atlgg32.exe
C:\WINDOWS\system32\javabs32.exe
C:\WINDOWS\msnw.exe
C:\WINDOWS\system32\crow32.exe
C:\WINDOWS\crdt32.exe
C:\WINDOWS\system32\apihx.exe
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Scan saved at 8:52:48 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Owner\My Documents\downloads\FahCore_78.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\appoo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\syszq32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\antispyware\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {EE5C5E5D-1391-F15D-C214-27CF50897C22} - C:\WINDOWS\system32\msti32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [appoo.exe] C:\WINDOWS\appoo.exe
O4 - HKLM\..\RunOnce: [sdkev.exe] C:\WINDOWS\system32\sdkev.exe
O4 - HKLM\..\RunOnce: [ntdw32.exe] C:\WINDOWS\system32\ntdw32.exe
O4 - HKLM\..\RunOnce: [mssl.exe] C:\WINDOWS\mssl.exe
O4 - HKLM\..\RunOnce: [adddl32.exe] C:\WINDOWS\adddl32.exe
O4 - HKLM\..\RunOnce: [crto32.exe] C:\WINDOWS\system32\crto32.exe
O4 - HKLM\..\RunOnce: [iphw.exe] C:\WINDOWS\system32\iphw.exe
O4 - HKLM\..\RunOnce: [mszd32.exe] C:\WINDOWS\system32\mszd32.exe
O4 - HKLM\..\RunOnce: [d3zl.exe] C:\WINDOWS\d3zl.exe
O4 - HKLM\..\RunOnce: [winev.exe] C:\WINDOWS\system32\winev.exe
O4 - HKLM\..\RunOnce: [ieqc32.exe] C:\WINDOWS\ieqc32.exe
O4 - HKLM\..\RunOnce: [syszq32.exe] C:\WINDOWS\system32\syszq32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe - Stanford University - C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Scanned at: 7:11:10 PM on: 5/16/2005
-- Scan 1
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINDOWS\~DF1E9B.tmp:eugex
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\apfoe.dat
Removed! : C:\WINDOWS\rjori.dat
Removed! : C:\WINDOWS\wavue.dat
Removed! : C:\WINDOWS\xcgaq.dat
Removed! : C:\WINDOWS\system32\curmd.dat
Removed! : C:\WINDOWS\system32\hdkua.dat
Removed! : C:\WINDOWS\system32\tuasi.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINDOWS\~DF1E9B.tmp:eugex
Attempted Clean Of Temp folder.
Pages Reset... Done!
Also i wasn't sure if it has XXXNAMEXXX.exe on the website and XXXNAMEXXX32.exe if i should still check the 32 one. i didn't just incase. Also most of those things you told me to check weren't there. And when i start the computer and computer loads my C:Mydocuments folder opens for no reason. I got a program in there but not sure what it's for it is a shortcut but it is called "Win" Speed Dialer. MY favorites still have the spam sites in it. But see if i got it.
One reason why it didn't work ,if it didn't, was because when i rebooted computer int osafe mode my keyboard runs from a USB port and is an application to use it. Would it have redone all the malware if i rebooted computer after using Hijackthis even if i didn't logon to my acount?
Scanned at: 4:39:22 PM on: 5/17/2005
-- Scan 1
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
So after the scan, i end up with 2 folders open of My Documents.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\edlkv.dll/sp.html#45074
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EE5C5E5D-1391-F15D-C214-27CF50897C22} - C:\WINDOWS\system32\msti32.dll
O4 - HKLM\..\Run: [appoo.exe] C:\WINDOWS\appoo.exe
O4 - HKLM\..\RunOnce: [sdkev.exe] C:\WINDOWS\system32\sdkev.exe
O4 - HKLM\..\RunOnce: [ntdw32.exe] C:\WINDOWS\system32\ntdw32.exe
O4 - HKLM\..\RunOnce: [mssl.exe] C:\WINDOWS\mssl.exe
O4 - HKLM\..\RunOnce: [adddl32.exe] C:\WINDOWS\adddl32.exe
O4 - HKLM\..\RunOnce: [crto32.exe] C:\WINDOWS\system32\crto32.exe
O4 - HKLM\..\RunOnce: [iphw.exe] C:\WINDOWS\system32\iphw.exe
O4 - HKLM\..\RunOnce: [mszd32.exe] C:\WINDOWS\system32\mszd32.exe
O4 - HKLM\..\RunOnce: [d3zl.exe] C:\WINDOWS\d3zl.exe
O4 - HKLM\..\RunOnce: [winev.exe] C:\WINDOWS\system32\winev.exe
O4 - HKLM\..\RunOnce: [ieqc32.exe] C:\WINDOWS\ieqc32.exe
O4 - HKLM\..\RunOnce: [syszq32.exe] C:\WINDOWS\system32\syszq32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\ippf.exe
C:\WINDOWS\appoo.exe
C:\WINDOWS\mssl.exe
C:\WINDOWS\ieqc32.exe
C:\WINDOWS\d3zl.exe
C:\WINDOWS\adddl32.exe
C:\WINDOWS\edlkv.dll
C:\WINDOWS\system32\msti32.dll
C:\WINDOWS\system32\sdkev.exe
C:\WINDOWS\system32\ntdw32.exe
C:\WINDOWS\system32\crto32.exe
C:\WINDOWS\system32\iphw.exe
C:\WINDOWS\system32\mszd32.exe
C:\WINDOWS\system32\winev.exe
C:\WINDOWS\system32\syszq32.exe
Reboot your computer to go back to normal mode.
Please run at least two of these online scans.
Make sure they are set to clean automatically:
Panda Virus Scan
Bit Defender
TrendMicro Housecall
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scans.
Scan saved at 9:26:07 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ipox.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qackn.dll/sp.html#45074
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qackn.dll/sp.html#45074
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5BCDB351-F6CE-3209-14B3-9286BD7B588C} - C:\WINDOWS\mfcpf.dll
O2 - BHO: Class - {825929FA-938D-0933-A4AB-393513D1CAF5} - C:\WINDOWS\d3ik32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F6D7AB9F-102F-1D05-935A-3204ED81EB70} - C:\WINDOWS\system32\msjk.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [crrn.exe] C:\WINDOWS\crrn.exe
O4 - HKLM\..\Run: [ipwe32.exe] C:\WINDOWS\system32\ipwe32.exe
O4 - HKLM\..\Run: [ipox.exe] C:\WINDOWS\system32\ipox.exe
O4 - HKLM\..\RunOnce: [ntpz.exe] C:\WINDOWS\system32\ntpz.exe
O4 - HKLM\..\RunOnce: [wince32.exe] C:\WINDOWS\wince32.exe
O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\system32\sdkpx32.exe
O4 - HKLM\..\RunOnce: [sysyy32.exe] C:\WINDOWS\system32\sysyy32.exe
O4 - HKLM\..\RunOnce: [sdksp.exe] C:\WINDOWS\system32\sdksp.exe
O4 - HKLM\..\RunOnce: [winnf32.exe] C:\WINDOWS\system32\winnf32.exe
O4 - HKLM\..\RunOnce: [ntgf.exe] C:\WINDOWS\ntgf.exe
O4 - HKLM\..\RunOnce: [msow32.exe] C:\WINDOWS\msow32.exe
O4 - HKLM\..\RunOnce: [mfckr.exe] C:\WINDOWS\mfckr.exe
O4 - HKLM\..\RunOnce: [ienf32.exe] C:\WINDOWS\system32\ienf32.exe
O4 - HKLM\..\RunOnce: [apipn32.exe] C:\WINDOWS\apipn32.exe
O4 - HKLM\..\RunOnce: [winvi.exe] C:\WINDOWS\system32\winvi.exe
O4 - HKLM\..\RunOnce: [sdkgv.exe] C:\WINDOWS\sdkgv.exe
O4 - HKLM\..\RunOnce: [adddw.exe] C:\WINDOWS\adddw.exe
O4 - HKLM\..\RunOnce: [atlcb32.exe] C:\WINDOWS\system32\atlcb32.exe
O4 - HKLM\..\RunOnce: [mshx32.exe] C:\WINDOWS\mshx32.exe
O4 - HKLM\..\RunOnce: [apiea32.exe] C:\WINDOWS\apiea32.exe
O4 - HKLM\..\RunOnce: [sysvi.exe] C:\WINDOWS\sysvi.exe
O4 - HKLM\..\RunOnce: [ipnk32.exe] C:\WINDOWS\ipnk32.exe
O4 - HKLM\..\RunOnce: [mfcvj32.exe] C:\WINDOWS\mfcvj32.exe
O4 - HKLM\..\RunOnce: [syssx.exe] C:\WINDOWS\system32\syssx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe - Unknown owner - C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Panda Virus Scan
Incident Status Location
Adware:Adware/SearchExe No disinfected C:\antispyware\backups\backup-20050516-174124-382.dll
Adware:Adware/SearchExe No disinfected C:\antispyware\backups\backup-20050517-170441-571.dll
Adware:Adware/SearchExe No disinfected C:\antispyware\backups\backup-20050517-170752-795.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Owner\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Owner\Favorites\Search the web.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\CoolWWWSearchAffWinshow.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow1.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow10.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow10.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow2.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow3.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow4.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow5.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow6.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow7.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow8.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow9.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow9.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWeb.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWeb1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FunWebProducts1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez1.zip=>winkx.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez3.zip=>winkr.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez4.zip=>winkb.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MainPean.zip=>Cheats24.org csg-10104.lnk: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MainPean.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MiniBug.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MiniBug.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip=>f3initialsetup1.0.0.8-2.inf: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch5.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch6.zip=>bar/History/search: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch6.zip=>bar/Settings/settings.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch6.zip=>bar/Settings/settings.htm: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch6.zip=>bar/Settings/s_pid.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch7.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch8.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz10.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz10.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz11.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz11.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz12.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz12.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz13.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz13.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz14.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz14.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz15.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz15.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz16.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz16.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz17.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz17.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz5.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz6.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz7.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz8.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz9.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\URLSearchHookAtlpz9.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XtraKeysWinKeyLogger.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XtraKeysWinKeyLogger.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XtraKeysWinKeyLogger1.zip=>appxk.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XtraKeysWinKeyLogger1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\BCGXG3WA\download[1].htm: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\BCGXG3WA\download[1].htm: disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\WO902VQA\download[1].htm: infected with Exploit.Html.Codebase.Exec.Gen
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\WO902VQA\download[1].htm: disinfection failed
C:\ms32.tmp: infected with Trojan.Downloader.Small.ATS
C:\ms32.tmp: disinfection failed
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
C:\Program Files\Norton AntiVirus\Quarantine\1BF474E4=>(Quarantine-2): infected with Trojan.Downloader.Dyfuca.BQ
C:\Program Files\Norton AntiVirus\Quarantine\1BF474E4=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\2B8727BA=>(Quarantine-2): infected with Trojan.PWS.Briss.A
C:\Program Files\Norton AntiVirus\Quarantine\2B8727BA=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\2B944FAC=>(Quarantine-2): infected with Trojan.Dropper.Delf.Z
C:\Program Files\Norton AntiVirus\Quarantine\2B944FAC=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\2EEF528D.class=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\2EEF528D.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\36A67C02.class=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\36A67C02.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\36BD1DF1=>(Quarantine-2): infected with Trojan.Clicker.Delf.R
C:\Program Files\Norton AntiVirus\Quarantine\36BD1DF1=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\36C147EE=>(Quarantine-2): infected with Trojan.Downloader.Dyfuca.BQ
C:\Program Files\Norton AntiVirus\Quarantine\36C147EE=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\3B9344FA.class=>(Quarantine-2): infected with Java.Trojan.ClassLoader.K
C:\Program Files\Norton AntiVirus\Quarantine\3B9344FA.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\3D981C69.class=>(Quarantine-2): infected with Trojan.Java.ClassLoader.Dummy.A
C:\Program Files\Norton AntiVirus\Quarantine\3D981C69.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\411B1BAD.class=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\411B1BAD.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\45FB7264.class=>(Quarantine-2): infected with Java.Trojan.OpenConnection.F
C:\Program Files\Norton AntiVirus\Quarantine\45FB7264.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\468A6B2E.class=>(Quarantine-2): infected with Java.Trojan.ClassLoader.Z
C:\Program Files\Norton AntiVirus\Quarantine\468A6B2E.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\56773830=>(Quarantine-2): infected with Trojan.Dropper.Delf.Z
C:\Program Files\Norton AntiVirus\Quarantine\56773830=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\78D07EE0.class=>(Quarantine-2): infected with Java.Trojan.Exploit.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\78D07EE0.class=>(Quarantine-2): disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\78D30F1E.class=>(Quarantine-2): infected with Java.Trojan.Downloader.OpenConnection.V
C:\Program Files\Norton AntiVirus\Quarantine\78D30F1E.class=>(Quarantine-2): disinfection failed
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qackn.dll/sp.html#45074
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qackn.dll/sp.html#45074
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qackn.dll/sp.html#45074
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BCDB351-F6CE-3209-14B3-9286BD7B588C} - C:\WINDOWS\mfcpf.dll
O2 - BHO: Class - {825929FA-938D-0933-A4AB-393513D1CAF5} - C:\WINDOWS\d3ik32.dll
O4 - HKLM\..\Run: [crrn.exe] C:\WINDOWS\crrn.exe
O4 - HKLM\..\Run: [ipwe32.exe] C:\WINDOWS\system32\ipwe32.exe
O4 - HKLM\..\Run: [ipox.exe] C:\WINDOWS\system32\ipox.exe
O4 - HKLM\..\RunOnce: [ntpz.exe] C:\WINDOWS\system32\ntpz.exe
O4 - HKLM\..\RunOnce: [wince32.exe] C:\WINDOWS\wince32.exe
O4 - HKLM\..\RunOnce: [sdkpx32.exe] C:\WINDOWS\system32\sdkpx32.exe
O4 - HKLM\..\RunOnce: [sysyy32.exe] C:\WINDOWS\system32\sysyy32.exe
O4 - HKLM\..\RunOnce: [sdksp.exe] C:\WINDOWS\system32\sdksp.exe
O4 - HKLM\..\RunOnce: [winnf32.exe] C:\WINDOWS\system32\winnf32.exe
O4 - HKLM\..\RunOnce: [ntgf.exe] C:\WINDOWS\ntgf.exe
O4 - HKLM\..\RunOnce: [msow32.exe] C:\WINDOWS\msow32.exe
O4 - HKLM\..\RunOnce: [mfckr.exe] C:\WINDOWS\mfckr.exe
O4 - HKLM\..\RunOnce: [ienf32.exe] C:\WINDOWS\system32\ienf32.exe
O4 - HKLM\..\RunOnce: [apipn32.exe] C:\WINDOWS\apipn32.exe
O4 - HKLM\..\RunOnce: [winvi.exe] C:\WINDOWS\system32\winvi.exe
O4 - HKLM\..\RunOnce: [sdkgv.exe] C:\WINDOWS\sdkgv.exe
O4 - HKLM\..\RunOnce: [adddw.exe] C:\WINDOWS\adddw.exe
O4 - HKLM\..\RunOnce: [atlcb32.exe] C:\WINDOWS\system32\atlcb32.exe
O4 - HKLM\..\RunOnce: [mshx32.exe] C:\WINDOWS\mshx32.exe
O4 - HKLM\..\RunOnce: [apiea32.exe] C:\WINDOWS\apiea32.exe
O4 - HKLM\..\RunOnce: [sysvi.exe] C:\WINDOWS\sysvi.exe
O4 - HKLM\..\RunOnce: [ipnk32.exe] C:\WINDOWS\ipnk32.exe
O4 - HKLM\..\RunOnce: [mfcvj32.exe] C:\WINDOWS\mfcvj32.exe
O4 - HKLM\..\RunOnce: [syssx.exe] C:\WINDOWS\system32\syssx.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ippf.exe" /s (file missing)
Step 7
Reboot your computer into SAFE MODE
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\ippf.exe
C:\WINDOWS\mfcpf.dll
C:\WINDOWS\d3ik32.dll
C:\WINDOWS\crrn.exe
C:\WINDOWS\system32\ipwe32.exe
C:\WINDOWS\system32\ipox.exe
C:\WINDOWS\system32\ntpz.exe
C:\WINDOWS\wince32.exe
C:\WINDOWS\system32\sdkpx32.exe
C:\WINDOWS\system32\sysyy32.exe
C:\WINDOWS\system32\sdksp.exe
C:\WINDOWS\system32\winnf32.exe
C:\WINDOWS\ntgf.exe
C:\WINDOWS\msow32.exe
C:\WINDOWS\mfckr.exe
C:\WINDOWS\system32\ienf32.exe
C:\WINDOWS\apipn32.exe
C:\WINDOWS\system32\winvi.exe
C:\WINDOWS\sdkgv.exe
C:\WINDOWS\adddw.exe
C:\WINDOWS\system32\atlcb32.exe
C:\WINDOWS\mshx32.exe
C:\WINDOWS\apiea32.exe
C:\WINDOWS\sysvi.exe
C:\WINDOWS\ipnk32.exe
C:\WINDOWS\mfcvj32.exe
C:\WINDOWS\system32\syssx.exe
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
1. When computer boots it automatically opens my documents folder.
2. Norton e-mail scanning doesnt come on on reboot and gives e-mail scanning error, ie system is broke
Logfile of HijackThis v1.99.1
Scan saved at 2:20:05 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ipwe32.exe] C:\WINDOWS\system32\ipwe32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe - Unknown owner - C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-- Scan 1
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINDOWS\tmupdate.ini:texma
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 26
Removed Data Streams:
C:\WINDOWS\tmupdate.ini:texma
Attempted Clean Of Temp folder.
Pages Reset... Done!
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\userinit.exe,
O4 - HKLM\..\Run: [ipwe32.exe] C:\WINDOWS\system32\ipwe32.exe
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
Reboot your computer into SAFE MODE
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\SYSTEM32\Winlognotif.dll
C:\WINDOWS\system32\ipwe32.exe
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot and post a new hijackthis log.
thanks again
Logfile of HijackThis v1.99.1
Scan saved at 8:44:37 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\antispyware\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{50694ACC-02FA-4CD8-A315-7F8873A81DFF}: NameServer = 68.94.156.1,151.164.30.104
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe - Unknown owner - C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Start Hijackthis and click on "Open the Misc Tools section"
Now put a checkmark next "List also minor sections(full)" and click "Generate StartupList log". Post that log here.
StartupList report, 5/26/2005, 12:22:22 PM
StartupList version: 1.52.2
Started from : C:\antispyware\hijackthis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SiSUSBRG = C:\WINDOWS\SiSUSBrg.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
POINTER = point32.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Steam =
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1113954678125
[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab
[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs2b.instantservice.com/jars/customerxsigned41.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab
[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab
[SOESysInfo Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\soesysinfo.ocx
CODEBASE = http://everquest2.station.sony.com/systemscan/soesysinfo.cab
[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Enumerating Windows NT/2000/XP services
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe: C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe -svcstart (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
Norton Unerase Protection: C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NTPort Library Driver: \??\C:\WINDOWS\System32\zntport.sys (autostart)
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ZboardTray = "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
End of report, 13,646 bytes
Report generated in 0.141 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
O23 - Service: FAH@C:+Documents and Settings+Owner+My Documents+downloads+FAH502-Console.exe - Unknown owner - C:\Documents and Settings\Owner\My Documents\downloads\FAH502-Console.exe (file missing)
Reboot and let me know if you still have that problem.