HELP! Search Extender is killing me!!

Unknown · July 2005

Ive ran my updated, Spy Bot and Ad-Aware SE and fixed what it could.
I tried the step by step removal that is posted on this sight for Search Extender. Thought I had it last night but I fired it up today and there it was about:blank and a ton of pop ups!!!
Here is my most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:57 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\ipue.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B84D9A9B-5648-3F51-42B4-69DAC956800A} - C:\WINDOWS\crkq32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Q5D8DCs5] C:\documents and settings\owner\local settings\temp\Q5D8DCs5.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
O4 - HKLM\..\RunOnce: [netrx32.exe] C:\WINDOWS\system32\netrx32.exe
O4 - HKLM\..\RunOnce: [apidp.exe] C:\WINDOWS\apidp.exe
O4 - HKLM\..\RunOnce: [addwf32.exe] C:\WINDOWS\system32\addwf32.exe
O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\system32\winzx.exe
O4 - HKLM\..\RunOnce: [crkq32.exe] C:\WINDOWS\crkq32.exe
O4 - HKLM\..\RunOnce: [sdkdq32.exe] C:\WINDOWS\sdkdq32.exe
O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe
O4 - HKLM\..\RunOnce: [mfcwh.exe] C:\WINDOWS\mfcwh.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\ntzh.exe
O4 - HKLM\..\RunOnce: [d3dj32.exe] C:\WINDOWS\d3dj32.exe
O4 - HKLM\..\RunOnce: [ipif32.exe] C:\WINDOWS\system32\ipif32.exe
O4 - HKLM\..\RunOnce: [sdkbz.exe] C:\WINDOWS\system32\sdkbz.exe
O4 - HKLM\..\RunOnce: [msdr.exe] C:\WINDOWS\msdr.exe
O4 - HKLM\..\RunOnce: [javahd.exe] C:\WINDOWS\javahd.exe
O4 - HKLM\..\RunOnce: [apiwh32.exe] C:\WINDOWS\apiwh32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [netac32.exe] C:\WINDOWS\netac32.exe
O4 - HKLM\..\RunOnce: [apioz.exe] C:\WINDOWS\system32\apioz.exe
O4 - HKLM\..\RunOnce: [sysas.exe] C:\WINDOWS\system32\sysas.exe
O4 - HKLM\..\RunOnce: [syspm32.exe] C:\WINDOWS\syspm32.exe
O4 - HKLM\..\RunOnce: [ipwv.exe] C:\WINDOWS\system32\ipwv.exe
O4 - HKLM\..\RunOnce: [mfcsz.exe] C:\WINDOWS\mfcsz.exe
O4 - HKLM\..\RunOnce: [sdkqw32.exe] C:\WINDOWS\system32\sdkqw32.exe
O4 - HKLM\..\RunOnce: [msgd32.exe] C:\WINDOWS\system32\msgd32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.prestage.com
O15 - Trusted Zone: http://www.staginglight.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2E3811E9-5504-11D0-A1C4-444553540000} (Tree.PracticeTree) - http://www.prestage.com/ActiveX/holeshot.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please Help :bawling: Thank You!

Buckeye_Sam · July 2005

You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.

Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.

Step 1
Download CWShredder but don't run it yet.

Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.

Step 3
Download Ad-aware SE 1.06
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.

Step 5
Make sure that you can VIEW ALL HIDDEN FILES.

Step 6
Reboot your computer into SAFE MODE

Step 7
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rtvzk.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B84D9A9B-5648-3F51-42B4-69DAC956800A} - C:\WINDOWS\crkq32.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
O4 - HKLM\..\RunOnce: [netrx32.exe] C:\WINDOWS\system32\netrx32.exe
O4 - HKLM\..\RunOnce: [apidp.exe] C:\WINDOWS\apidp.exe
O4 - HKLM\..\RunOnce: [addwf32.exe] C:\WINDOWS\system32\addwf32.exe
O4 - HKLM\..\RunOnce: [winzx.exe] C:\WINDOWS\system32\winzx.exe
O4 - HKLM\..\RunOnce: [crkq32.exe] C:\WINDOWS\crkq32.exe
O4 - HKLM\..\RunOnce: [sdkdq32.exe] C:\WINDOWS\sdkdq32.exe
O4 - HKLM\..\RunOnce: [mssb32.exe] C:\WINDOWS\system32\mssb32.exe
O4 - HKLM\..\RunOnce: [mfcwh.exe] C:\WINDOWS\mfcwh.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\ntzh.exe
O4 - HKLM\..\RunOnce: [d3dj32.exe] C:\WINDOWS\d3dj32.exe
O4 - HKLM\..\RunOnce: [ipif32.exe] C:\WINDOWS\system32\ipif32.exe
O4 - HKLM\..\RunOnce: [sdkbz.exe] C:\WINDOWS\system32\sdkbz.exe
O4 - HKLM\..\RunOnce: [msdr.exe] C:\WINDOWS\msdr.exe
O4 - HKLM\..\RunOnce: [javahd.exe] C:\WINDOWS\javahd.exe
O4 - HKLM\..\RunOnce: [apiwh32.exe] C:\WINDOWS\apiwh32.exe
O4 - HKLM\..\RunOnce: [netac32.exe] C:\WINDOWS\netac32.exe
O4 - HKLM\..\RunOnce: [apioz.exe] C:\WINDOWS\system32\apioz.exe
O4 - HKLM\..\RunOnce: [sysas.exe] C:\WINDOWS\system32\sysas.exe
O4 - HKLM\..\RunOnce: [syspm32.exe] C:\WINDOWS\syspm32.exe
O4 - HKLM\..\RunOnce: [ipwv.exe] C:\WINDOWS\system32\ipwv.exe
O4 - HKLM\..\RunOnce: [mfcsz.exe] C:\WINDOWS\mfcsz.exe
O4 - HKLM\..\RunOnce: [sdkqw32.exe] C:\WINDOWS\system32\sdkqw32.exe
O4 - HKLM\..\RunOnce: [msgd32.exe] C:\WINDOWS\system32\msgd32.exe

Step 8
Now run CWShredder, making sure to click "Fix".

Step 9
Delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\rtvzk.dll
C:\WINDOWS\crkq32.dll
C:\WINDOWS\system32\ipue.exe
C:\WINDOWS\system32\netrx32.exe
C:\WINDOWS\apidp.exe
C:\WINDOWS\system32\addwf32.exe
C:\WINDOWS\system32\winzx.exe
C:\WINDOWS\crkq32.exe
C:\WINDOWS\sdkdq32.exe
C:\WINDOWS\system32\mssb32.exe
C:\WINDOWS\mfcwh.exe
C:\WINDOWS\ntzh.exe
C:\WINDOWS\d3dj32.exe
C:\WINDOWS\system32\ipif32.exe
C:\WINDOWS\system32\sdkbz.exe
C:\WINDOWS\msdr.exe
C:\WINDOWS\javahd.exe
C:\WINDOWS\apiwh32.exe
C:\WINDOWS\netac32.exe
C:\WINDOWS\system32\apioz.exe
C:\WINDOWS\system32\sysas.exe
C:\WINDOWS\syspm32.exe
C:\WINDOWS\system32\ipwv.exe
C:\WINDOWS\mfcsz.exe
C:\WINDOWS\system32\sdkqw32.exe
C:\WINDOWS\system32\msgd32.exe

Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Step 11
Run a full scan with Adaware.

Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.

cl440 · July 2005

I tried a few times and just cant seem to get it out of there!!

Here is my log from HJT and About Buster:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:31 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ipue.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4507B4AA-2E46-3E95-2F9A-913A1B2A5DF7} - C:\WINDOWS\atlaa32.dll
O2 - BHO: Class - {57DCEAD2-55C5-1822-70C4-E713BB4D310B} - C:\WINDOWS\system32\ietp32.dll
O2 - BHO: Class - {877B5096-0FB9-2632-5448-A94D5150B850} - C:\WINDOWS\system32\ntrn32.dll
O2 - BHO: Class - {9FF525C4-DA3A-A482-0793-0178BE517407} - C:\WINDOWS\atlyr32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D4830DD3-9ABD-EA24-ED6B-4C012094FCAD} - C:\WINDOWS\iepe.dll
O2 - BHO: Class - {EC35B82F-DE5F-4C0D-A8E0-4A646DF69845} - C:\WINDOWS\msdt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\RunOnce: [javaue32.exe] C:\WINDOWS\javaue32.exe
O4 - HKLM\..\RunOnce: [apitk.exe] C:\WINDOWS\apitk.exe
O4 - HKLM\..\RunOnce: [iplf32.exe] C:\WINDOWS\iplf32.exe
O4 - HKLM\..\RunOnce: [d3ec.exe] C:\WINDOWS\system32\d3ec.exe
O4 - HKLM\..\RunOnce: [netdb32.exe] C:\WINDOWS\system32\netdb32.exe
O4 - HKLM\..\RunOnce: [d3wj.exe] C:\WINDOWS\d3wj.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\system32\apifp32.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\ieko.exe
O4 - HKLM\..\RunOnce: [ntje32.exe] C:\WINDOWS\ntje32.exe
O4 - HKLM\..\RunOnce: [mfczt32.exe] C:\WINDOWS\system32\mfczt32.exe
O4 - HKLM\..\RunOnce: [winmd32.exe] C:\WINDOWS\system32\winmd32.exe
O4 - HKLM\..\RunOnce: [ntkc.exe] C:\WINDOWS\system32\ntkc.exe
O4 - HKLM\..\RunOnce: [msus32.exe] C:\WINDOWS\msus32.exe
O4 - HKLM\..\RunOnce: [iewm.exe] C:\WINDOWS\iewm.exe
O4 - HKLM\..\RunOnce: [mfcsl.exe] C:\WINDOWS\mfcsl.exe
O4 - HKLM\..\RunOnce: [javaka32.exe] C:\WINDOWS\system32\javaka32.exe
O4 - HKLM\..\RunOnce: [iplu.exe] C:\WINDOWS\iplu.exe
O4 - HKLM\..\RunOnce: [mfcdl.exe] C:\WINDOWS\system32\mfcdl.exe
O4 - HKLM\..\RunOnce: [mfcbb32.exe] C:\WINDOWS\mfcbb32.exe
O4 - HKLM\..\RunOnce: [crka.exe] C:\WINDOWS\system32\crka.exe
O4 - HKLM\..\RunOnce: [addli.exe] C:\WINDOWS\system32\addli.exe
O4 - HKLM\..\RunOnce: [sdkzf32.exe] C:\WINDOWS\system32\sdkzf32.exe
O4 - HKLM\..\RunOnce: [mfczs32.exe] C:\WINDOWS\system32\mfczs32.exe
O4 - HKLM\..\RunOnce: [ieep32.exe] C:\WINDOWS\ieep32.exe
O4 - HKLM\..\RunOnce: [apihi.exe] C:\WINDOWS\system32\apihi.exe
O4 - HKLM\..\RunOnce: [sdkba.exe] C:\WINDOWS\system32\sdkba.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.prestage.com
O15 - Trusted Zone: http://www.staginglight.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2E3811E9-5504-11D0-A1C4-444553540000} (Tree.PracticeTree) - http://www.prestage.com/ActiveX/holeshot.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javaue32.exe" /s (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

AboutBuster 5.0 reference file 30
Scan started on [7/12/2005] at [8:28:42 PM]

Removed Stream! C:\WINDOWS\Eufekwvajip.xoq:czpgpy
Removed Stream! C:\WINDOWS\exyri.txt:uaamsi

No Files Found!

Scan was COMPLETED SUCCESSFULLY at 8:29:18 PM

Buckeye_Sam · July 2005

Don't worry too much. You have the nasty variant which can take a few extra steps, but we will get rid of it for you.

Please download and install Mozilla Firefox to use as an alternate browser while we are fixing your computer.

http://www.mozilla.org/products/firefox/

Do not use IE until you are clean!

=========

Please download and install Cleanup 4.0, but don't run it yet.
http://cleanup.stevengould.org/

=========

Reboot your computer into SAFE MODE

=========

Fix these lines with Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lzhco.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4507B4AA-2E46-3E95-2F9A-913A1B2A5DF7} - C:\WINDOWS\atlaa32.dll
O2 - BHO: Class - {57DCEAD2-55C5-1822-70C4-E713BB4D310B} - C:\WINDOWS\system32\ietp32.dll
O2 - BHO: Class - {877B5096-0FB9-2632-5448-A94D5150B850} - C:\WINDOWS\system32\ntrn32.dll
O2 - BHO: Class - {9FF525C4-DA3A-A482-0793-0178BE517407} - C:\WINDOWS\atlyr32.dll
O2 - BHO: Class - {D4830DD3-9ABD-EA24-ED6B-4C012094FCAD} - C:\WINDOWS\iepe.dll
O2 - BHO: Class - {EC35B82F-DE5F-4C0D-A8E0-4A646DF69845} - C:\WINDOWS\msdt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ipue.exe] C:\WINDOWS\system32\ipue.exe
O4 - HKLM\..\RunOnce: [javaue32.exe] C:\WINDOWS\javaue32.exe
O4 - HKLM\..\RunOnce: [apitk.exe] C:\WINDOWS\apitk.exe
O4 - HKLM\..\RunOnce: [iplf32.exe] C:\WINDOWS\iplf32.exe
O4 - HKLM\..\RunOnce: [d3ec.exe] C:\WINDOWS\system32\d3ec.exe
O4 - HKLM\..\RunOnce: [netdb32.exe] C:\WINDOWS\system32\netdb32.exe
O4 - HKLM\..\RunOnce: [d3wj.exe] C:\WINDOWS\d3wj.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\system32\apifp32.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\ieko.exe
O4 - HKLM\..\RunOnce: [ntje32.exe] C:\WINDOWS\ntje32.exe
O4 - HKLM\..\RunOnce: [mfczt32.exe] C:\WINDOWS\system32\mfczt32.exe
O4 - HKLM\..\RunOnce: [winmd32.exe] C:\WINDOWS\system32\winmd32.exe
O4 - HKLM\..\RunOnce: [ntkc.exe] C:\WINDOWS\system32\ntkc.exe
O4 - HKLM\..\RunOnce: [msus32.exe] C:\WINDOWS\msus32.exe
O4 - HKLM\..\RunOnce: [iewm.exe] C:\WINDOWS\iewm.exe
O4 - HKLM\..\RunOnce: [mfcsl.exe] C:\WINDOWS\mfcsl.exe
O4 - HKLM\..\RunOnce: [javaka32.exe] C:\WINDOWS\system32\javaka32.exe
O4 - HKLM\..\RunOnce: [iplu.exe] C:\WINDOWS\iplu.exe
O4 - HKLM\..\RunOnce: [mfcdl.exe] C:\WINDOWS\system32\mfcdl.exe
O4 - HKLM\..\RunOnce: [mfcbb32.exe] C:\WINDOWS\mfcbb32.exe
O4 - HKLM\..\RunOnce: [crka.exe] C:\WINDOWS\system32\crka.exe
O4 - HKLM\..\RunOnce: [addli.exe] C:\WINDOWS\system32\addli.exe
O4 - HKLM\..\RunOnce: [sdkzf32.exe] C:\WINDOWS\system32\sdkzf32.exe
O4 - HKLM\..\RunOnce: [mfczs32.exe] C:\WINDOWS\system32\mfczs32.exe
O4 - HKLM\..\RunOnce: [ieep32.exe] C:\WINDOWS\ieep32.exe
O4 - HKLM\..\RunOnce: [apihi.exe] C:\WINDOWS\system32\apihi.exe
O4 - HKLM\..\RunOnce: [sdkba.exe] C:\WINDOWS\system32\sdkba.exe
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/...uncherSetup.cab

============

Delete these files.

C:\WINDOWS\lzhco.dll
C:\WINDOWS\atlaa32.dll
C:\WINDOWS\system32\ietp32.dll
C:\WINDOWS\system32\ntrn32.dll
C:\WINDOWS\atlyr32.dll
C:\WINDOWS\iepe.dll
C:\WINDOWS\msdt.dll
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ipue.exe
C:\WINDOWS\javaue32.exe
C:\WINDOWS\apitk.exe
C:\WINDOWS\iplf32.exe
C:\WINDOWS\system32\d3ec.exe
C:\WINDOWS\system32\netdb32.exe
C:\WINDOWS\d3wj.exe
C:\WINDOWS\system32\apifp32.exe
C:\WINDOWS\ieko.exe
C:\WINDOWS\ntje32.exe
C:\WINDOWS\system32\mfczt32.exe
C:\WINDOWS\system32\winmd32.exe
C:\WINDOWS\system32\ntkc.exe
C:\WINDOWS\msus32.exe
C:\WINDOWS\iewm.exe
C:\WINDOWS\mfcsl.exe
C:\WINDOWS\system32\javaka32.exe
C:\WINDOWS\iplu.exe
C:\WINDOWS\system32\mfcdl.exe
C:\WINDOWS\mfcbb32.exe
C:\WINDOWS\system32\crka.exe
C:\WINDOWS\system32\addli.exe
C:\WINDOWS\system32\sdkzf32.exe
C:\WINDOWS\system32\mfczs32.exe
C:\WINDOWS\ieep32.exe
C:\WINDOWS\system32\apihi.exe
C:\WINDOWS\system32\sdkba.exe

===========

Click Start -> Run -> (type) services.msc

Scroll down and find the service called Workstation NetLogon Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

11Fßä#·ºÄÖ`I

Do not reboot yet.
Don't worry if you get an error while doing this. Just proceed to the next step.

===========

Run CleanUp 4.0
This will delete your temp files.

===========

Run CWShredder.

===========

Run AboutBuster

===========

Reboot back to normal mode.
Please run this online virus scan using Firefox. Do not launch IE.

http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php

There will be files that this scan will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scan.

cl440 · July 2005

Did I get it? The pc is still acting funny? My norton anti virus keeps flashing up on the screen and then disapearing and I cant set it to enable? That happened last night also. So I uninstalled then reinstalled and updated. Looks like I will have to do this again?
Let me know what we need to do next. Thanks for your help and patience, you are great!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:53 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\HJT\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.prestage.com
O15 - Trusted Zone: http://www.staginglight.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2E3811E9-5504-11D0-A1C4-444553540000} (Tree.PracticeTree) - http://www.prestage.com/ActiveX/holeshot.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Trend Micro Housecall Virus Scan0 virus cleaned, 61 viruses deleted

Results:
We have detected 61 infected file(s) with 61 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 61 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\WINDOWS\system32\apisq32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\apitv.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\appsx32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\appxo.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\atlya.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\crnb32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\d3kf.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\d3tg.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ieej.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\iefo32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ipik32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ipue.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\javabk32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\javahx.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\javapy32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\mfcro32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\mfcyx32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\msgn.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\msod32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\netgn.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\nettq32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\netye.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ntdb.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ntpr.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\ntun.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\sdkmu.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\sysbs32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\winaz.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\winbd.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\winbh.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\windr.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\system32\winyb.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\addgs.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\addju.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\addrj.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\addyo32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\appwc.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\atlev32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\atljq.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\crsc32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\d3sm32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\d3zm.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\iebf.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\iebk.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\ietr.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\ievs32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\ieyh32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\ipbc.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\ipyg.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\javagt32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\javajc32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\mfchg.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\mfcic.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\mfclv.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\mfcsn.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\sdkpn32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\sdktm.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\winis32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\winmi32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\winos32.exeTROJ_AGENT.UHDeletion
successful
C:\WINDOWS\wintp32.exeTROJ_AGENT.UHDeletion
successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken

Microsoft Vulnerability Check

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix

I will post my Panda log in another reply.

cl440 · July 2005

My Panda log is to big to post????

SpywareShooter · July 2005

Can you divide it into two posts?

HELP! Search Extender is killing me!!

Comments