Possible Virus attack (Yahoo22.exe). Please help me remove it?
Hi there,
I think I got hit by a virus that I cannot remove.
As soon as I boot up my computer, I'm hit by a slew of small error windows all stating the same error every 3-5 minutes. Either the error is Yahoo22 or a random 5 digit number. I am able to end task on these with Windows Task Manager and I've been able to delete them too, where they keep showing up in my Windows main folder, but they keep poping up. Also a small window pops up every 5 minutes or so in the background extrememly fast and I only caught the title once called "Form1".
What this is doing is also throwing off the way I browse the internet or play games. It is disabling 2 of my ActiveX settings (Run ActiveX controls and plug-ins & Script ActiveX controls marked safe for scripting).
And also making it impossoble for me to get:
Windows Update - Page is blank and not loading http://windowsupdate.microsoft.com/
Install Norton Anitvirus - (which I went out to buy this morning) I am able to install but cannot activate.
Read any of the pages on Symantic's support pages.
Run a scan from Housecall.Antivirus.Com
I have the 6/8/05 version of SpywareShooter and most current Ad-Aware 1.06r1 & Spybot - Search & Destroy.
Also, Spybot S&D Could not clear 8 CoolwwwSearch problems, even after rebooting.
Below I'll post what logs I can.
Spybot Search & Destroy Log
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com\*!=W=4
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teensguru.com\*!=W=4
CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4
CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4
CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\offshoreclicks.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i-lookup.com\*!=W=4
CoolWWWSearch: Domain settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4
MediaMotor: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-09 Includes\Dialer.sbi
2005-06-09 Includes\Hijackers.sbi
2005-06-09 Includes\Keyloggers.sbi
2005-06-09 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-09 Includes\Spybots.sbi
2005-06-09 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-06-09 Includes\PUPS.sbi
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:09:09 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\XPsys.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\4955.exe
C:\Program Files\Hijack Remove Programs\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mmorpg.com/index.cfm?resetbrowser=true&fp=1024,768,1417002484
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: http://www.listen.com
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks again for all your help here.
Alfred
I think I got hit by a virus that I cannot remove.
As soon as I boot up my computer, I'm hit by a slew of small error windows all stating the same error every 3-5 minutes. Either the error is Yahoo22 or a random 5 digit number. I am able to end task on these with Windows Task Manager and I've been able to delete them too, where they keep showing up in my Windows main folder, but they keep poping up. Also a small window pops up every 5 minutes or so in the background extrememly fast and I only caught the title once called "Form1".
What this is doing is also throwing off the way I browse the internet or play games. It is disabling 2 of my ActiveX settings (Run ActiveX controls and plug-ins & Script ActiveX controls marked safe for scripting).
And also making it impossoble for me to get:
Windows Update - Page is blank and not loading http://windowsupdate.microsoft.com/
Install Norton Anitvirus - (which I went out to buy this morning) I am able to install but cannot activate.
Read any of the pages on Symantic's support pages.
Run a scan from Housecall.Antivirus.Com
I have the 6/8/05 version of SpywareShooter and most current Ad-Aware 1.06r1 & Spybot - Search & Destroy.
Also, Spybot S&D Could not clear 8 CoolwwwSearch problems, even after rebooting.
Below I'll post what logs I can.
Spybot Search & Destroy Log
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
Startpage-EH: Tracking cookie (Internet Explorer: Alfred) (Cookie, fixed)
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com\*!=W=4
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teensguru.com\*!=W=4
CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4
CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4
CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\offshoreclicks.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i-lookup.com\*!=W=4
CoolWWWSearch: Domain settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4
MediaMotor: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-09 Includes\Dialer.sbi
2005-06-09 Includes\Hijackers.sbi
2005-06-09 Includes\Keyloggers.sbi
2005-06-09 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-09 Includes\Spybots.sbi
2005-06-09 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-06-09 Includes\PUPS.sbi
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 6:09:09 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\XPsys.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\4955.exe
C:\Program Files\Hijack Remove Programs\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mmorpg.com/index.cfm?resetbrowser=true&fp=1024,768,1417002484
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: http://www.listen.com
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks again for all your help here.
Alfred
0
Comments
===============
Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:
1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:
XPsys.exe*
4955.exe*
2) Then if any are found in the 'prefetch' folder, delete them.
Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\XPsys.exe
C:\WINDOWS\4955.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\XPsys.exe
C:\WINDOWS\4955.exe
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.
Those two files you had me delete definately got rid of those errors and the ActiveX problems. Spybot - Search & Destroy is still finding a bunch of CoolWWWSearch problems that it cannot remove.
Below are my new HijackThis & Spybot logs.
Logfile of HijackThis v1.99.1
Scan saved at 11:45:29 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack Remove Programs\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mmorpg.com/index.cfm?resetbrowser=true&fp=1024,768,1417002484
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: http://www.listen.com
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\offshoreclicks.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i-lookup.com\*!=W=4
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com\*!=W=4
CoolWWWSearch.Googlems: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\teensguru.com\*!=W=4
CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4
CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4
CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4
CoolWWWSearch: Domain settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com\*!=W=4
--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-09 Includes\Dialer.sbi
2005-06-09 Includes\Hijackers.sbi
2005-06-09 Includes\Keyloggers.sbi
2005-06-09 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-09 Includes\Spybots.sbi
2005-06-09 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-06-09 Includes\PUPS.sbi
Thanks for helping out again!
Alfred
(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.
Run spybot again and see if you get the same results.
I ran the fixme.reg and ran Spybot again. But I still have 4 CoolWWWSearch problems still found by Spybot S&D.
I noticed that in the reg lines I copied, the words CurrentVersion were all split, and since I am not very skilled at working with the registry files/lines I left it as is instead of connection the words.
Here is my current Spybot S&D log:
MediaMotor: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
CoolWWWSearch.Leftovers: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4
CoolWWWSearch.Mupdate: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4
CoolWWWSearch.Toolband: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4
CoolWWWSearch.WinRes: Trusted Site (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1275210071-1580818891-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\offshoreclicks.com\*!=W=4
--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-09 Includes\Dialer.sbi
2005-06-09 Includes\Hijackers.sbi
2005-06-09 Includes\Keyloggers.sbi
2005-06-09 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-09 Includes\Spybots.sbi
2005-06-09 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-06-09 Includes\PUPS.sbi
Thanks again Crunchie for your time and help!
Alfred
Right click on the fixme.reg file and open it in notepad. Remove the spaces that you noted and save the changes.
Now double click on the fixme.reg file and merge it with your registry.
That should do it
I also gave up trying to load Norton because my computer wouldn't activate the program. I loaded instead AntiVir Guard from your signature's link, and that program found all types of trojans and trackers and got rid of them, so thanks for posting that link as well!
Again, thanks for all your help!
Alfred