Options
Need Search Extender Spyware help – Log Attached
I have recently received the joys of the Search Extender spyware and have attached my HiJackThis log below. Someone please take a look below and let me know which of the entries ought to be removed.
Again, thanks for all the help!
Logfile of HijackThis v1.99.1
Scan saved at 12:59:02 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\ipqd.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HIT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05C13EB5-7881-2B00-7C2C-BE433C3C51A6} - C:\WINDOWS\system32\sdkyh.dll
O2 - BHO: Class - {0DC9678A-0260-8CEB-0563-594D9FB02903} - C:\WINDOWS\system32\atlpp32.dll
O2 - BHO: Class - {1B10D5D8-0D3A-C6AA-7945-199D629061C9} - C:\WINDOWS\sdkof.dll
O2 - BHO: Class - {38C5B834-A322-B57E-5E70-389C168DEC39} - C:\WINDOWS\system32\mfcdj.dll
O2 - BHO: Class - {3EB79716-BC8C-A65F-5E2B-31BD61248EA1} - C:\WINDOWS\nthl32.dll
O2 - BHO: Class - {3FC5F00B-0204-AD29-6D02-6C41C7707FDF} - C:\WINDOWS\system32\atlry32.dll
O2 - BHO: Class - {4B2C0F1B-9B30-2FC4-A487-1C59255C24ED} - C:\WINDOWS\mfcba32.dll
O2 - BHO: Class - {546EB25A-6A5D-99EF-7458-F82F8D257E62} - C:\WINDOWS\system32\ieuj.dll
O2 - BHO: Class - {6E2C8740-710D-660F-1F9A-381C376446C6} - C:\WINDOWS\sdkjv.dll
O2 - BHO: Class - {81D25943-2085-D1C4-2F01-1C9877C3D278} - C:\WINDOWS\system32\sdkmw.dll
O2 - BHO: Class - {87BB8735-D059-E026-8627-CD8DC71E9026} - C:\WINDOWS\iees.dll
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll
O2 - BHO: Class - {A47B3009-DB35-BE2B-D263-A0DEE154022D} - C:\WINDOWS\system32\sysid32.dll
O2 - BHO: Class - {F1C42DB1-6A20-CE33-C14A-D483F27B1A0D} - C:\WINDOWS\msdb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround
Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer]
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ipqd.exe] C:\WINDOWS\ipqd.exe
O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\mfcoz32.exe
O4 - HKLM\..\RunOnce: [atldw.exe] C:\WINDOWS\atldw.exe
O4 - HKLM\..\RunOnce: [ippq.exe] C:\WINDOWS\system32\ippq.exe
O4 - HKLM\..\RunOnce: [ipbg.exe] C:\WINDOWS\system32\ipbg.exe
O4 - HKLM\..\RunOnce: [appnx.exe] C:\WINDOWS\system32\appnx.exe
O4 - HKLM\..\RunOnce: [syswy32.exe] C:\WINDOWS\system32\syswy32.exe
O4 - HKLM\..\RunOnce: [appfs.exe] C:\WINDOWS\system32\appfs.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\system32\addid32.exe
O4 - HKLM\..\RunOnce: [nttq32.exe] C:\WINDOWS\system32\nttq32.exe
O4 - HKLM\..\RunOnce: [ntwh.exe] C:\WINDOWS\ntwh.exe
O4 - HKLM\..\RunOnce: [iekb32.exe] C:\WINDOWS\iekb32.exe
O4 - HKLM\..\RunOnce: [addsm32.exe] C:\WINDOWS\system32\addsm32.exe
O4 - HKLM\..\RunOnce: [crrc.exe] C:\WINDOWS\system32\crrc.exe
O4 - HKLM\..\RunOnce: [crjk.exe] C:\WINDOWS\crjk.exe
O4 - HKLM\..\RunOnce: [apiyi32.exe] C:\WINDOWS\system32\apiyi32.exe
O4 - HKLM\..\RunOnce: [iprm.exe] C:\WINDOWS\system32\iprm.exe
O4 - HKLM\..\RunOnce: [msjs.exe] C:\WINDOWS\msjs.exe
O4 - HKLM\..\RunOnce: [apizt.exe] C:\WINDOWS\apizt.exe
O4 - HKLM\..\RunOnce: [atlxm32.exe] C:\WINDOWS\atlxm32.exe
O4 - HKLM\..\RunOnce: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\RunOnce: [sdkmb.exe] C:\WINDOWS\system32\sdkmb.exe
O4 - HKLM\..\RunOnce: [appfw.exe] C:\WINDOWS\system32\appfw.exe
O4 - HKLM\..\RunOnce: [sysgt.exe] C:\WINDOWS\system32\sysgt.exe
O4 - HKLM\..\RunOnce: [crrp.exe] C:\WINDOWS\system32\crrp.exe
O4 - HKLM\..\RunOnce: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\RunOnce: [mszd.exe] C:\WINDOWS\mszd.exe
O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe
O4 - HKLM\..\RunOnce: [syskp.exe] C:\WINDOWS\syskp.exe
O4 - HKLM\..\RunOnce: [ntwi32.exe] C:\WINDOWS\system32\ntwi32.exe
O4 - HKLM\..\RunOnce: [winxu32.exe] C:\WINDOWS\winxu32.exe
O4 - HKLM\..\RunOnce: [appbm32.exe] C:\WINDOWS\appbm32.exe
O4 - HKLM\..\RunOnce: [sdkcf32.exe] C:\WINDOWS\sdkcf32.exe
O4 - HKLM\..\RunOnce: [ipkz.exe] C:\WINDOWS\ipkz.exe
O4 - HKLM\..\RunOnce: [crma32.exe] C:\WINDOWS\crma32.exe
O4 - HKLM\..\RunOnce: [sysgw.exe] C:\WINDOWS\sysgw.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\Natural Voice Reader Standard\read.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F}
- C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://westnile.eng.auburn.edu/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class)
- http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX
Control) - https://auinsts.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona
Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer
Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service
Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner
- C:\WINDOWS\system32\crrb.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Again, thanks for all the help!
Logfile of HijackThis v1.99.1
Scan saved at 12:59:02 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\ipqd.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HIT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05C13EB5-7881-2B00-7C2C-BE433C3C51A6} - C:\WINDOWS\system32\sdkyh.dll
O2 - BHO: Class - {0DC9678A-0260-8CEB-0563-594D9FB02903} - C:\WINDOWS\system32\atlpp32.dll
O2 - BHO: Class - {1B10D5D8-0D3A-C6AA-7945-199D629061C9} - C:\WINDOWS\sdkof.dll
O2 - BHO: Class - {38C5B834-A322-B57E-5E70-389C168DEC39} - C:\WINDOWS\system32\mfcdj.dll
O2 - BHO: Class - {3EB79716-BC8C-A65F-5E2B-31BD61248EA1} - C:\WINDOWS\nthl32.dll
O2 - BHO: Class - {3FC5F00B-0204-AD29-6D02-6C41C7707FDF} - C:\WINDOWS\system32\atlry32.dll
O2 - BHO: Class - {4B2C0F1B-9B30-2FC4-A487-1C59255C24ED} - C:\WINDOWS\mfcba32.dll
O2 - BHO: Class - {546EB25A-6A5D-99EF-7458-F82F8D257E62} - C:\WINDOWS\system32\ieuj.dll
O2 - BHO: Class - {6E2C8740-710D-660F-1F9A-381C376446C6} - C:\WINDOWS\sdkjv.dll
O2 - BHO: Class - {81D25943-2085-D1C4-2F01-1C9877C3D278} - C:\WINDOWS\system32\sdkmw.dll
O2 - BHO: Class - {87BB8735-D059-E026-8627-CD8DC71E9026} - C:\WINDOWS\iees.dll
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll
O2 - BHO: Class - {A47B3009-DB35-BE2B-D263-A0DEE154022D} - C:\WINDOWS\system32\sysid32.dll
O2 - BHO: Class - {F1C42DB1-6A20-CE33-C14A-D483F27B1A0D} - C:\WINDOWS\msdb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround
Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer]
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ipqd.exe] C:\WINDOWS\ipqd.exe
O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\mfcoz32.exe
O4 - HKLM\..\RunOnce: [atldw.exe] C:\WINDOWS\atldw.exe
O4 - HKLM\..\RunOnce: [ippq.exe] C:\WINDOWS\system32\ippq.exe
O4 - HKLM\..\RunOnce: [ipbg.exe] C:\WINDOWS\system32\ipbg.exe
O4 - HKLM\..\RunOnce: [appnx.exe] C:\WINDOWS\system32\appnx.exe
O4 - HKLM\..\RunOnce: [syswy32.exe] C:\WINDOWS\system32\syswy32.exe
O4 - HKLM\..\RunOnce: [appfs.exe] C:\WINDOWS\system32\appfs.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\system32\addid32.exe
O4 - HKLM\..\RunOnce: [nttq32.exe] C:\WINDOWS\system32\nttq32.exe
O4 - HKLM\..\RunOnce: [ntwh.exe] C:\WINDOWS\ntwh.exe
O4 - HKLM\..\RunOnce: [iekb32.exe] C:\WINDOWS\iekb32.exe
O4 - HKLM\..\RunOnce: [addsm32.exe] C:\WINDOWS\system32\addsm32.exe
O4 - HKLM\..\RunOnce: [crrc.exe] C:\WINDOWS\system32\crrc.exe
O4 - HKLM\..\RunOnce: [crjk.exe] C:\WINDOWS\crjk.exe
O4 - HKLM\..\RunOnce: [apiyi32.exe] C:\WINDOWS\system32\apiyi32.exe
O4 - HKLM\..\RunOnce: [iprm.exe] C:\WINDOWS\system32\iprm.exe
O4 - HKLM\..\RunOnce: [msjs.exe] C:\WINDOWS\msjs.exe
O4 - HKLM\..\RunOnce: [apizt.exe] C:\WINDOWS\apizt.exe
O4 - HKLM\..\RunOnce: [atlxm32.exe] C:\WINDOWS\atlxm32.exe
O4 - HKLM\..\RunOnce: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\RunOnce: [sdkmb.exe] C:\WINDOWS\system32\sdkmb.exe
O4 - HKLM\..\RunOnce: [appfw.exe] C:\WINDOWS\system32\appfw.exe
O4 - HKLM\..\RunOnce: [sysgt.exe] C:\WINDOWS\system32\sysgt.exe
O4 - HKLM\..\RunOnce: [crrp.exe] C:\WINDOWS\system32\crrp.exe
O4 - HKLM\..\RunOnce: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\RunOnce: [mszd.exe] C:\WINDOWS\mszd.exe
O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe
O4 - HKLM\..\RunOnce: [syskp.exe] C:\WINDOWS\syskp.exe
O4 - HKLM\..\RunOnce: [ntwi32.exe] C:\WINDOWS\system32\ntwi32.exe
O4 - HKLM\..\RunOnce: [winxu32.exe] C:\WINDOWS\winxu32.exe
O4 - HKLM\..\RunOnce: [appbm32.exe] C:\WINDOWS\appbm32.exe
O4 - HKLM\..\RunOnce: [sdkcf32.exe] C:\WINDOWS\sdkcf32.exe
O4 - HKLM\..\RunOnce: [ipkz.exe] C:\WINDOWS\ipkz.exe
O4 - HKLM\..\RunOnce: [crma32.exe] C:\WINDOWS\crma32.exe
O4 - HKLM\..\RunOnce: [sysgw.exe] C:\WINDOWS\sysgw.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\Natural Voice Reader Standard\read.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F}
- C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://westnile.eng.auburn.edu/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class)
- http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX
Control) - https://auinsts.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona
Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer
Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service
Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner
- C:\WINDOWS\system32\crrb.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
0
Comments
You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.
Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.06
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Reboot your computer into SAFE MODE
Step 7
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\fbxox.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05C13EB5-7881-2B00-7C2C-BE433C3C51A6} - C:\WINDOWS\system32\sdkyh.dll
O2 - BHO: Class - {0DC9678A-0260-8CEB-0563-594D9FB02903} - C:\WINDOWS\system32\atlpp32.dll
O2 - BHO: Class - {1B10D5D8-0D3A-C6AA-7945-199D629061C9} - C:\WINDOWS\sdkof.dll
O2 - BHO: Class - {38C5B834-A322-B57E-5E70-389C168DEC39} - C:\WINDOWS\system32\mfcdj.dll
O2 - BHO: Class - {3EB79716-BC8C-A65F-5E2B-31BD61248EA1} - C:\WINDOWS\nthl32.dll
O2 - BHO: Class - {3FC5F00B-0204-AD29-6D02-6C41C7707FDF} - C:\WINDOWS\system32\atlry32.dll
O2 - BHO: Class - {4B2C0F1B-9B30-2FC4-A487-1C59255C24ED} - C:\WINDOWS\mfcba32.dll
O2 - BHO: Class - {546EB25A-6A5D-99EF-7458-F82F8D257E62} - C:\WINDOWS\system32\ieuj.dll
O2 - BHO: Class - {6E2C8740-710D-660F-1F9A-381C376446C6} - C:\WINDOWS\sdkjv.dll
O2 - BHO: Class - {81D25943-2085-D1C4-2F01-1C9877C3D278} - C:\WINDOWS\system32\sdkmw.dll
O2 - BHO: Class - {87BB8735-D059-E026-8627-CD8DC71E9026} - C:\WINDOWS\iees.dll
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll
O2 - BHO: Class - {A47B3009-DB35-BE2B-D263-A0DEE154022D} - C:\WINDOWS\system32\sysid32.dll
O2 - BHO: Class - {F1C42DB1-6A20-CE33-C14A-D483F27B1A0D} - C:\WINDOWS\msdb.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipqd.exe] C:\WINDOWS\ipqd.exe
O4 - HKLM\..\RunOnce: [crrb.exe] C:\WINDOWS\system32\crrb.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\mfcoz32.exe
O4 - HKLM\..\RunOnce: [atldw.exe] C:\WINDOWS\atldw.exe
O4 - HKLM\..\RunOnce: [ippq.exe] C:\WINDOWS\system32\ippq.exe
O4 - HKLM\..\RunOnce: [ipbg.exe] C:\WINDOWS\system32\ipbg.exe
O4 - HKLM\..\RunOnce: [appnx.exe] C:\WINDOWS\system32\appnx.exe
O4 - HKLM\..\RunOnce: [syswy32.exe] C:\WINDOWS\system32\syswy32.exe
O4 - HKLM\..\RunOnce: [appfs.exe] C:\WINDOWS\system32\appfs.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\system32\addid32.exe
O4 - HKLM\..\RunOnce: [nttq32.exe] C:\WINDOWS\system32\nttq32.exe
O4 - HKLM\..\RunOnce: [ntwh.exe] C:\WINDOWS\ntwh.exe
O4 - HKLM\..\RunOnce: [iekb32.exe] C:\WINDOWS\iekb32.exe
O4 - HKLM\..\RunOnce: [addsm32.exe] C:\WINDOWS\system32\addsm32.exe
O4 - HKLM\..\RunOnce: [crrc.exe] C:\WINDOWS\system32\crrc.exe
O4 - HKLM\..\RunOnce: [crjk.exe] C:\WINDOWS\crjk.exe
O4 - HKLM\..\RunOnce: [apiyi32.exe] C:\WINDOWS\system32\apiyi32.exe
O4 - HKLM\..\RunOnce: [iprm.exe] C:\WINDOWS\system32\iprm.exe
O4 - HKLM\..\RunOnce: [msjs.exe] C:\WINDOWS\msjs.exe
O4 - HKLM\..\RunOnce: [apizt.exe] C:\WINDOWS\apizt.exe
O4 - HKLM\..\RunOnce: [atlxm32.exe] C:\WINDOWS\atlxm32.exe
O4 - HKLM\..\RunOnce: [iehh.exe] C:\WINDOWS\system32\iehh.exe
O4 - HKLM\..\RunOnce: [sdkmb.exe] C:\WINDOWS\system32\sdkmb.exe
O4 - HKLM\..\RunOnce: [appfw.exe] C:\WINDOWS\system32\appfw.exe
O4 - HKLM\..\RunOnce: [sysgt.exe] C:\WINDOWS\system32\sysgt.exe
O4 - HKLM\..\RunOnce: [crrp.exe] C:\WINDOWS\system32\crrp.exe
O4 - HKLM\..\RunOnce: [crcx.exe] C:\WINDOWS\system32\crcx.exe
O4 - HKLM\..\RunOnce: [mszd.exe] C:\WINDOWS\mszd.exe
O4 - HKLM\..\RunOnce: [apprz.exe] C:\WINDOWS\system32\apprz.exe
O4 - HKLM\..\RunOnce: [syskp.exe] C:\WINDOWS\syskp.exe
O4 - HKLM\..\RunOnce: [ntwi32.exe] C:\WINDOWS\system32\ntwi32.exe
O4 - HKLM\..\RunOnce: [winxu32.exe] C:\WINDOWS\winxu32.exe
O4 - HKLM\..\RunOnce: [appbm32.exe] C:\WINDOWS\appbm32.exe
O4 - HKLM\..\RunOnce: [sdkcf32.exe] C:\WINDOWS\sdkcf32.exe
O4 - HKLM\..\RunOnce: [ipkz.exe] C:\WINDOWS\ipkz.exe
O4 - HKLM\..\RunOnce: [crma32.exe] C:\WINDOWS\crma32.exe
O4 - HKLM\..\RunOnce: [sysgw.exe] C:\WINDOWS\sysgw.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner
- C:\WINDOWS\system32\crrb.exe" /s (file missing)
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\fbxox.dll
C:\WINDOWS\system32\sdkyh.dll
C:\WINDOWS\system32\atlpp32.dll
C:\WINDOWS\sdkof.dll
C:\WINDOWS\system32\mfcdj.dll
C:\WINDOWS\nthl32.dll
C:\WINDOWS\system32\atlry32.dll
C:\WINDOWS\mfcba32.dll
C:\WINDOWS\system32\ieuj.dll
C:\WINDOWS\sdkjv.dll
C:\WINDOWS\system32\sdkmw.dll
C:\WINDOWS\iees.dll
C:\WINDOWS\system32\iegc32.dll
C:\WINDOWS\system32\sysid32.dll
C:\WINDOWS\msdb.dll
C:\WINDOWS\ipqd.exe
C:\WINDOWS\system32\crrb.exe
C:\WINDOWS\mfcoz32.exe
C:\WINDOWS\atldw.exe
C:\WINDOWS\system32\ippq.exe
C:\WINDOWS\system32\ipbg.exe
C:\WINDOWS\system32\appnx.exe
C:\WINDOWS\system32\syswy32.exe
C:\WINDOWS\system32\appfs.exe
C:\WINDOWS\system32\addid32.exe
C:\WINDOWS\system32\nttq32.exe
C:\WINDOWS\ntwh.exe
C:\WINDOWS\iekb32.exe
C:\WINDOWS\system32\addsm32.exe
C:\WINDOWS\system32\crrc.exe
C:\WINDOWS\crjk.exe
C:\WINDOWS\system32\apiyi32.exe
C:\WINDOWS\system32\iprm.exe
C:\WINDOWS\msjs.exe
C:\WINDOWS\apizt.exe
C:\WINDOWS\atlxm32.exe
C:\WINDOWS\system32\iehh.exe
C:\WINDOWS\system32\sdkmb.exe
C:\WINDOWS\system32\appfw.exe
C:\WINDOWS\system32\sysgt.exe
C:\WINDOWS\system32\crrp.exe
C:\WINDOWS\system32\crcx.exe
C:\WINDOWS\mszd.exe
C:\WINDOWS\system32\apprz.exe
C:\WINDOWS\syskp.exe
C:\WINDOWS\system32\ntwi32.exe
C:\WINDOWS\winxu32.exe
C:\WINDOWS\appbm32.exe
C:\WINDOWS\sdkcf32.exe
C:\WINDOWS\ipkz.exe
C:\WINDOWS\crma32.exe
C:\WINDOWS\sysgw.exe
C:\WINDOWS\system32\crrb.exe
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
THANKS for the help:
Logfile of HijackThis v1.99.1
Scan saved at 8:50:24 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sysae.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\HIT\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D568270B-05A0-5431-80D7-D046559307AC} - C:\WINDOWS\sysae.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sysae.exe] C:\WINDOWS\sysae.exe
O4 - HKLM\..\RunOnce: [javafk32.exe] C:\WINDOWS\system32\javafk32.exe
O4 - HKLM\..\RunOnce: [msxv32.exe] C:\WINDOWS\msxv32.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\Natural Voice Reader Standard\read.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://westnile.eng.auburn.edu/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://auinsts.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javafk32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
AboutBuster 5.0 reference file 30
Scan started on [7/11/2005] at [9:16:46 PM]
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:pogie
Removed Stream! C:\WINDOWS\dahotfix.log:zwcgyo
Removed Stream! C:\WINDOWS\Dir.log:rxulay
Removed Stream! C:\WINDOWS\KB820291.log:sodrtl
Removed Stream! C:\WINDOWS\KB825119.log:wqpeml
Removed Stream! C:\WINDOWS\KB828028.log:oqzjov
Removed Stream! C:\WINDOWS\KB886185.log:rpydh
Removed Stream! C:\WINDOWS\KB887797.log:cqqic
Removed Stream! C:\WINDOWS\Q311889.log:xgjaq
Removed Stream! C:\WINDOWS\Q314862.log:idebzz
Removed Stream! C:\WINDOWS\Q316134.log:adxgbc
Removed Stream! C:\WINDOWS\Q316253.log:zralq
Removed Stream! C:\WINDOWS\Q328310.log:bfpsp
Removed Stream! C:\WINDOWS\Q815021.log:hjobjo
Removed Stream! C:\WINDOWS\Q828026.log:zjgger
Removed Stream! C:\WINDOWS\RomeTW.ini:oxxstg
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:bjnneu
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
Removed Stream! C:\WINDOWS\videoimp.ini:khnixo
Removed Stream! C:\WINDOWS\wbocx.ini:chynay
Removed File! : C:\Windows\alxos.dll
Removed File! : C:\Windows\fyyac.dat
Removed File! : C:\Windows\oxxst.dat
Removed File! : C:\Windows\xulay.dll
Removed File! : C:\Windows\System32\ftbyh.dat
Removed File! : C:\Windows\System32\gcivy.dat
Removed File! : C:\Windows\System32\sfdta.dat
Scan was COMPLETED SUCCESSFULLY at 9:17:27 PM
AboutBuster 5.0 reference file 28
Scan started on [7/12/2005] at [8:09:13 PM]
Removed Stream! C:\WINDOWS\1.50.add:wcgihr
Removed Stream! C:\WINDOWS\KB841356.log:ixxuwk
Removed Stream! C:\WINDOWS\KB842773.log:bypzqv
Removed Stream! C:\WINDOWS\KB873333.log:tyafsf
Removed Stream! C:\WINDOWS\Q306676.log:xaswly
Removed Stream! C:\WINDOWS\Q308677.log:qbdjfa
Removed Stream! C:\WINDOWS\Q810577.log:uapik
Removed Stream! C:\WINDOWS\Q811630.log:mbanm
Removed Stream! C:\WINDOWS\Q817287.log:tmxjfx
Removed Stream! C:\WINDOWS\qnbpu.dat:dnpohh
Removed Stream! C:\WINDOWS\WIASERVC.LOG:llroka
Removed Stream! C:\WINDOWS\winampa.ini:dmctfk
Removed Stream! C:\WINDOWS\wininit.ini:nnughv
Removed File! : C:\Windows\bdtxq.dll
Removed File! : C:\Windows\lqhez.dll
Removed File! : C:\Windows\nqmcf.dll
Removed File! : C:\Windows\stcjs.dll
Removed File! : C:\Windows\tgrda.dll
Removed File! : C:\Windows\System32\dypjp.dll
Removed File! : C:\Windows\System32\tqcrc.dll
Removed File! : C:\Windows\System32\xausk.dll
Removed File! : C:\Windows\System32\ztbcr.dll
Scan was COMPLETED SUCCESSFULLY at 8:09:48 PM
Suggestions?
Fix these lines with hijackthis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D568270B-05A0-5431-80D7-D046559307AC} - C:\WINDOWS\sysae.dll
O4 - HKLM\..\Run: [sysae.exe] C:\WINDOWS\sysae.exe
O4 - HKLM\..\RunOnce: [javafk32.exe] C:\WINDOWS\system32\javafk32.exe
O4 - HKLM\..\RunOnce: [msxv32.exe] C:\WINDOWS\msxv32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javafk32.exe" /s (file missing)
==========
Delete these files.
C:\WINDOWS\sysae.dll
C:\WINDOWS\sysae.exe
C:\WINDOWS\system32\javafk32.exe
C:\WINDOWS\msxv32.exe
C:\WINDOWS\system32\javafk32.exe
==========
Run CWShredder and then About Buster
==========
Reboot and post a new hijackthis log and the log from AboutBuster.
Again thanks for all of the help. Still seems to be present. Take a look at the logs below:
Logfile of HijackThis v1.99.1
Scan saved at 12:59:52 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\atlpw32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\HIT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E5A20412-513A-066D-B58B-8BE6A802E394} - C:\WINDOWS\system32\windb32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [atlpw32.exe] C:\WINDOWS\atlpw32.exe
O4 - HKLM\..\RunOnce: [winhp32.exe] C:\WINDOWS\winhp32.exe
O4 - HKLM\..\RunOnce: [ietm.exe] C:\WINDOWS\ietm.exe
O4 - HKLM\..\RunOnce: [sdkmd32.exe] C:\WINDOWS\system32\sdkmd32.exe
O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe
O4 - HKLM\..\RunOnce: [wingo32.exe] C:\WINDOWS\system32\wingo32.exe
O4 - HKLM\..\RunOnce: [appbs32.exe] C:\WINDOWS\appbs32.exe
O4 - HKLM\..\RunOnce: [crpv.exe] C:\WINDOWS\system32\crpv.exe
O4 - HKLM\..\RunOnce: [crcw.exe] C:\WINDOWS\system32\crcw.exe
O4 - HKLM\..\RunOnce: [winqc.exe] C:\WINDOWS\system32\winqc.exe
O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\ipfp.exe
O4 - HKLM\..\RunOnce: [sysej.exe] C:\WINDOWS\system32\sysej.exe
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\system32\d3wa.exe
O4 - HKLM\..\RunOnce: [appaw.exe] C:\WINDOWS\system32\appaw.exe
O4 - HKLM\..\RunOnce: [crub.exe] C:\WINDOWS\crub.exe
O4 - HKLM\..\RunOnce: [mssi.exe] C:\WINDOWS\system32\mssi.exe
O4 - HKLM\..\RunOnce: [addpy.exe] C:\WINDOWS\system32\addpy.exe
O4 - HKLM\..\RunOnce: [javapy32.exe] C:\WINDOWS\javapy32.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\Natural Voice Reader Standard\read.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/scriptlets/launcher.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://westnile.eng.auburn.edu/plugin/awarewebplayer/download/smart/cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-dev.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://auinsts.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javafk32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
AND
AboutBuster 5.0 reference file 28
Scan started on [7/13/2005] at [12:50:05 PM]
Removed Stream! C:\WINDOWS\KB873333.log:xdubzx
Removed File! : C:\Windows\zwxfo.dll
Removed File! : C:\Windows\System32\xytfj.dat
Scan was COMPLETED SUCCESSFULLY at 12:50:34 PM
THanks for the help,
Cal
http://www.mozilla.org/products/firefox/
========
Reboot your computer into SAFE MODE
========
Fix these lines with Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orhjj.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E5A20412-513A-066D-B58B-8BE6A802E394} - C:\WINDOWS\system32\windb32.dll
O4 - HKLM\..\Run: [atlpw32.exe] C:\WINDOWS\atlpw32.exe
O4 - HKLM\..\RunOnce: [winhp32.exe] C:\WINDOWS\winhp32.exe
O4 - HKLM\..\RunOnce: [ietm.exe] C:\WINDOWS\ietm.exe
O4 - HKLM\..\RunOnce: [sdkmd32.exe] C:\WINDOWS\system32\sdkmd32.exe
O4 - HKLM\..\RunOnce: [ntxz32.exe] C:\WINDOWS\system32\ntxz32.exe
O4 - HKLM\..\RunOnce: [wingo32.exe] C:\WINDOWS\system32\wingo32.exe
O4 - HKLM\..\RunOnce: [appbs32.exe] C:\WINDOWS\appbs32.exe
O4 - HKLM\..\RunOnce: [crpv.exe] C:\WINDOWS\system32\crpv.exe
O4 - HKLM\..\RunOnce: [crcw.exe] C:\WINDOWS\system32\crcw.exe
O4 - HKLM\..\RunOnce: [winqc.exe] C:\WINDOWS\system32\winqc.exe
O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\ipfp.exe
O4 - HKLM\..\RunOnce: [sysej.exe] C:\WINDOWS\system32\sysej.exe
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\system32\d3wa.exe
O4 - HKLM\..\RunOnce: [appaw.exe] C:\WINDOWS\system32\appaw.exe
O4 - HKLM\..\RunOnce: [crub.exe] C:\WINDOWS\crub.exe
O4 - HKLM\..\RunOnce: [mssi.exe] C:\WINDOWS\system32\mssi.exe
O4 - HKLM\..\RunOnce: [addpy.exe] C:\WINDOWS\system32\addpy.exe
O4 - HKLM\..\RunOnce: [javapy32.exe] C:\WINDOWS\javapy32.exe
========
Delete these files.
C:\WINDOWS\orhjj.dll
C:\WINDOWS\system32\windb32.dll
C:\WINDOWS\atlpw32.exe
C:\WINDOWS\winhp32.exe
C:\WINDOWS\ietm.exe
C:\WINDOWS\system32\sdkmd32.exe
C:\WINDOWS\system32\ntxz32.exe
C:\WINDOWS\system32\wingo32.exe
C:\WINDOWS\appbs32.exe
C:\WINDOWS\system32\crpv.exe
C:\WINDOWS\system32\crcw.exe
C:\WINDOWS\system32\winqc.exe
C:\WINDOWS\ipfp.exe
C:\WINDOWS\system32\sysej.exe
C:\WINDOWS\system32\d3wa.exe
C:\WINDOWS\system32\appaw.exe
C:\WINDOWS\crub.exe
C:\WINDOWS\system32\mssi.exe
C:\WINDOWS\system32\addpy.exe
C:\WINDOWS\javapy32.exe
========
Click Start -> Run -> (type) services.msc
Scroll down and find the service called Network Security Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.
11Fßä#·ºÄÖ`I
==========
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
=========
Run CWShredder.
Run AboutBuster.
=========
Reboot back to normal mode.
Run this online virus scan using Firefox. Do not use IE.
http://www.trendmicro-europe.com/housecall/
=========
Reboot once more and post a new hijackthis log.