Options
Need some help getting rid of spyware or the like
I am getting pop-ups and my machine is slow.....slow..slow. I repeatedly get adware.iefeats, but when I get rid of it with in a few minutes it comes back. I scan with fixifts.exe, then nothing is found. I am also getting a bunch horrible sites in my favorites. Can anyone help me. I am going crazy over this. Here is a log from hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 11:31:50 PM, on 07/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ALEXANDR\BIN\ALEXAG~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\system32\javaxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\DELLMO~1\MOH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
F:\NavPress\ZIPscrpt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4353AFA9-79E1-ABCE-EDB1-3F4A7CB8394E} - C:\WINDOWS\system32\crgz32.dll
O2 - BHO: Class - {71787679-86CA-4589-F24E-0C0C21005DEE} - C:\WINDOWS\system32\d3ka32.dll
O2 - BHO: Class - {8C71E7E1-BD83-36A9-1144-F1D55AF23F0E} - C:\WINDOWS\javabs.dll
O2 - BHO: Class - {8EB6E905-7DC0-8234-9C91-571038BE3A23} - C:\WINDOWS\system32\addgf.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DB4FD49B-763F-DD51-6CC9-112121228735} - C:\WINDOWS\mfcqf.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\system32\apppm32.exe
O4 - HKLM\..\RunOnce: [crrr.exe] C:\WINDOWS\system32\crrr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\MOH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ZIPscript.lnk = F:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PRDIE - {46AAA852-5BF1-48ED-9C11-F615F6521D6C} - C:\Program Files\Privacy Defender\prd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F98E05A-8C67-454F-9EE6-B95C5CEAFBFD}: NameServer = 209.94.40.2 209.94.48.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
O23 - Service: Servicio de Agenda de Alejandria (AlexAgenda) - Unknown owner - C:\ALEXANDR\BIN\ALEXAG~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:31:50 PM, on 07/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ALEXANDR\BIN\ALEXAG~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\system32\javaxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\DELLMO~1\MOH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
F:\NavPress\ZIPscrpt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4353AFA9-79E1-ABCE-EDB1-3F4A7CB8394E} - C:\WINDOWS\system32\crgz32.dll
O2 - BHO: Class - {71787679-86CA-4589-F24E-0C0C21005DEE} - C:\WINDOWS\system32\d3ka32.dll
O2 - BHO: Class - {8C71E7E1-BD83-36A9-1144-F1D55AF23F0E} - C:\WINDOWS\javabs.dll
O2 - BHO: Class - {8EB6E905-7DC0-8234-9C91-571038BE3A23} - C:\WINDOWS\system32\addgf.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DB4FD49B-763F-DD51-6CC9-112121228735} - C:\WINDOWS\mfcqf.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\system32\apppm32.exe
O4 - HKLM\..\RunOnce: [crrr.exe] C:\WINDOWS\system32\crrr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\MOH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ZIPscript.lnk = F:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PRDIE - {46AAA852-5BF1-48ED-9C11-F615F6521D6C} - C:\Program Files\Privacy Defender\prd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F98E05A-8C67-454F-9EE6-B95C5CEAFBFD}: NameServer = 209.94.40.2 209.94.48.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
O23 - Service: Servicio de Agenda de Alejandria (AlexAgenda) - Unknown owner - C:\ALEXANDR\BIN\ALEXAG~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
0
Comments
You will need to print these instructions for your reference as most of this Removal process must be done in safe mode where you will not have access to the internet.
(Skip the steps if you have already performed them)
1. Download CWShredder. Save it to your desktop and extract the files to your desktop.
Exit CWShredder for now.
2. Download aboutbuster. Save it to your desktop and extract the files to your desktop.
Exit aboutbuster for now.
3. Download Ad-Aware SE 1.06 . Save the setup file to your desktop. Run the setup file and place a shortcut on your desktop. Open Ad-Aware and click check for updates>click connect. Click download updates if updates are available.
4. Make all hidden files viewable .
5. Boot up into safe mode. To enter safe mode> reboot> tap the f8 button at the start up screen>select safe mode from the menu.
6. Close all open windows. Run Hijack this and place a checkmark next to the following entries. Click “Fix Checked”:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ygpgl.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4353AFA9-79E1-ABCE-EDB1-3F4A7CB8394E} - C:\WINDOWS\system32\crgz32.dll
O2 - BHO: Class - {71787679-86CA-4589-F24E-0C0C21005DEE} - C:\WINDOWS\system32\d3ka32.dll
O2 - BHO: Class - {8C71E7E1-BD83-36A9-1144-F1D55AF23F0E} - C:\WINDOWS\javabs.dll
O2 - BHO: Class - {8EB6E905-7DC0-8234-9C91-571038BE3A23} - C:\WINDOWS\system32\addgf.dll
O2 - BHO: Class - {DB4FD49B-763F-DD51-6CC9-112121228735} - C:\WINDOWS\mfcqf.dll
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\system32\apppm32.exe
O4 - HKLM\..\RunOnce: [crrr.exe] C:\WINDOWS\system32\crrr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
7. Run CWShredder which you downloaded in step 1. Click the “Fix” button.
8. Now delete these files or directories if they exist:
C:\WINDOWS\system32\ygpgl.dll
C:\WINDOWS\system32\crgz32.dll
C:\WINDOWS\system32\d3ka32.dll
C:\WINDOWS\javabs.dll
C:\WINDOWS\system32\addgf.dll
C:\WINDOWS\mfcqf.dll
C:\WINDOWS\winfd.exe
C:\WINDOWS\ntmq.exe
C:\WINDOWS\system32\javaxy.exe
C:\WINDOWS\system32\sdkah.exe
C:\WINDOWS\system32\apier32.exe
C:\WINDOWS\system32\sysny32.exe
C:\WINDOWS\ipbs32.exe
C:\WINDOWS\apiqc32.exe
C:\WINDOWS\ntoa.exe
C:\WINDOWS\system32\apppm32.exe
C:\WINDOWS\system32\crrr.exe
C:\WINDOWS\system32\javaxy.exe
9. Run aboutbuster which you downloaded in step 2. Click ok>start>ok. Copy and paste the results of the aboutbuster scan to notepad. Save this as a .txt file.
10. Run a “full system scan" with Ad-Aware SE. Remove all files found.
11. Reboot and post a new Hijack This log with the results of the aboutbuster scan.
I am also getting adware.iefeats and messages about my system is bad, and I get a Windows security file that says that you have spy activity going on, would you like to learn how to get rid of it. Then I also get a file that wants to download. chmhelp.chm. I reject it because I have no idea what it is.
Logfile of HijackThis v1.99.1
Scan saved at 12:47:02 PM, on 07/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ALEXANDR\BIN\ALEXAG~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\winfd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\DELLMO~1\MOH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
F:\NavPress\ZIPscrpt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ysbfn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {20043697-EF16-80E8-D345-5DC1961EAEAD} - C:\WINDOWS\ipbp.dll
O2 - BHO: Class - {6EE686C9-3962-1C5E-2CB9-F389B660FD1C} - C:\WINDOWS\ippy32.dll
O2 - BHO: Class - {A47B913E-2FC8-8C92-CFF4-E3D1BB4B3486} - C:\WINDOWS\system32\appgr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [atlrv.exe] C:\WINDOWS\atlrv.exe
O4 - HKLM\..\RunOnce: [ipfh.exe] C:\WINDOWS\ipfh.exe
O4 - HKLM\..\RunOnce: [sdkdb.exe] C:\WINDOWS\sdkdb.exe
O4 - HKLM\..\RunOnce: [appsj32.exe] C:\WINDOWS\appsj32.exe
O4 - HKLM\..\RunOnce: [iext32.exe] C:\WINDOWS\iext32.exe
O4 - HKLM\..\RunOnce: [sdkgq32.exe] C:\WINDOWS\system32\sdkgq32.exe
O4 - HKLM\..\RunOnce: [mscw32.exe] C:\WINDOWS\system32\mscw32.exe
O4 - HKLM\..\RunOnce: [apiku32.exe] C:\WINDOWS\apiku32.exe
O4 - HKLM\..\RunOnce: [sdkbc.exe] C:\WINDOWS\sdkbc.exe
O4 - HKLM\..\RunOnce: [msfg32.exe] C:\WINDOWS\system32\msfg32.exe
O4 - HKLM\..\RunOnce: [javaoo.exe] C:\WINDOWS\javaoo.exe
O4 - HKLM\..\RunOnce: [crud32.exe] C:\WINDOWS\system32\crud32.exe
O4 - HKLM\..\RunOnce: [d3cr32.exe] C:\WINDOWS\d3cr32.exe
O4 - HKLM\..\RunOnce: [syshv.exe] C:\WINDOWS\syshv.exe
O4 - HKLM\..\RunOnce: [msiv32.exe] C:\WINDOWS\system32\msiv32.exe
O4 - HKLM\..\RunOnce: [msws32.exe] C:\WINDOWS\msws32.exe
O4 - HKLM\..\RunOnce: [winks.exe] C:\WINDOWS\system32\winks.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\MOH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ZIPscript.lnk = F:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PRDIE - {46AAA852-5BF1-48ED-9C11-F615F6521D6C} - C:\Program Files\Privacy Defender\prd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F98E05A-8C67-454F-9EE6-B95C5CEAFBFD}: NameServer = 209.94.40.2 209.94.48.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
O23 - Service: Servicio de Agenda de Alejandria (AlexAgenda) - Unknown owner - C:\ALEXANDR\BIN\ALEXAG~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
ogfile of HijackThis v1.99.1
Scan saved at 2:45:02 PM, on 07/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ALEXANDR\BIN\ALEXAG~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\winfd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\DELLMO~1\MOH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
F:\NavPress\ZIPscrpt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\e-Sword\e-Sword.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E6A8DF75-9B34-005D-4060-2AB82D18D1F5} - C:\WINDOWS\ntna32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [atlrv.exe] C:\WINDOWS\atlrv.exe
O4 - HKLM\..\RunOnce: [ipfh.exe] C:\WINDOWS\ipfh.exe
O4 - HKLM\..\RunOnce: [sdkdb.exe] C:\WINDOWS\sdkdb.exe
O4 - HKLM\..\RunOnce: [appsj32.exe] C:\WINDOWS\appsj32.exe
O4 - HKLM\..\RunOnce: [iext32.exe] C:\WINDOWS\iext32.exe
O4 - HKLM\..\RunOnce: [sdkgq32.exe] C:\WINDOWS\system32\sdkgq32.exe
O4 - HKLM\..\RunOnce: [mscw32.exe] C:\WINDOWS\system32\mscw32.exe
O4 - HKLM\..\RunOnce: [apiku32.exe] C:\WINDOWS\apiku32.exe
O4 - HKLM\..\RunOnce: [sdkbc.exe] C:\WINDOWS\sdkbc.exe
O4 - HKLM\..\RunOnce: [msfg32.exe] C:\WINDOWS\system32\msfg32.exe
O4 - HKLM\..\RunOnce: [javaoo.exe] C:\WINDOWS\javaoo.exe
O4 - HKLM\..\RunOnce: [crud32.exe] C:\WINDOWS\system32\crud32.exe
O4 - HKLM\..\RunOnce: [d3cr32.exe] C:\WINDOWS\d3cr32.exe
O4 - HKLM\..\RunOnce: [syshv.exe] C:\WINDOWS\syshv.exe
O4 - HKLM\..\RunOnce: [msiv32.exe] C:\WINDOWS\system32\msiv32.exe
O4 - HKLM\..\RunOnce: [msws32.exe] C:\WINDOWS\msws32.exe
O4 - HKLM\..\RunOnce: [winks.exe] C:\WINDOWS\system32\winks.exe
O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\netzk.exe
O4 - HKLM\..\RunOnce: [ntna32.exe] C:\WINDOWS\ntna32.exe
O4 - HKLM\..\RunOnce: [addbc32.exe] C:\WINDOWS\system32\addbc32.exe
O4 - HKLM\..\RunOnce: [addqr.exe] C:\WINDOWS\addqr.exe
O4 - HKLM\..\RunOnce: [apion32.exe] C:\WINDOWS\apion32.exe
O4 - HKLM\..\RunOnce: [javayn32.exe] C:\WINDOWS\system32\javayn32.exe
O4 - HKLM\..\RunOnce: [atlyn.exe] C:\WINDOWS\atlyn.exe
O4 - HKLM\..\RunOnce: [syscz.exe] C:\WINDOWS\system32\syscz.exe
O4 - HKLM\..\RunOnce: [apiro32.exe] C:\WINDOWS\apiro32.exe
O4 - HKLM\..\RunOnce: [javabn32.exe] C:\WINDOWS\system32\javabn32.exe
O4 - HKLM\..\RunOnce: [winey32.exe] C:\WINDOWS\system32\winey32.exe
O4 - HKLM\..\RunOnce: [atljd.exe] C:\WINDOWS\atljd.exe
O4 - HKLM\..\RunOnce: [appkd32.exe] C:\WINDOWS\system32\appkd32.exe
O4 - HKLM\..\RunOnce: [appmx.exe] C:\WINDOWS\appmx.exe
O4 - HKLM\..\RunOnce: [msaf32.exe] C:\WINDOWS\msaf32.exe
O4 - HKLM\..\RunOnce: [iply.exe] C:\WINDOWS\iply.exe
O4 - HKLM\..\RunOnce: [d3pa.exe] C:\WINDOWS\d3pa.exe
O4 - HKLM\..\RunOnce: [netjr32.exe] C:\WINDOWS\netjr32.exe
O4 - HKLM\..\RunOnce: [sysck32.exe] C:\WINDOWS\sysck32.exe
O4 - HKLM\..\RunOnce: [winca32.exe] C:\WINDOWS\system32\winca32.exe
O4 - HKLM\..\RunOnce: [apims32.exe] C:\WINDOWS\apims32.exe
O4 - HKLM\..\RunOnce: [sysgr.exe] C:\WINDOWS\sysgr.exe
O4 - HKLM\..\RunOnce: [wintg.exe] C:\WINDOWS\wintg.exe
O4 - HKLM\..\RunOnce: [addtw.exe] C:\WINDOWS\addtw.exe
O4 - HKLM\..\RunOnce: [iejd.exe] C:\WINDOWS\iejd.exe
O4 - HKLM\..\RunOnce: [sdktw32.exe] C:\WINDOWS\system32\sdktw32.exe
O4 - HKLM\..\RunOnce: [d3gy.exe] C:\WINDOWS\d3gy.exe
O4 - HKLM\..\RunOnce: [sdkck32.exe] C:\WINDOWS\system32\sdkck32.exe
O4 - HKLM\..\RunOnce: [syszp32.exe] C:\WINDOWS\syszp32.exe
O4 - HKLM\..\RunOnce: [cryx32.exe] C:\WINDOWS\system32\cryx32.exe
O4 - HKLM\..\RunOnce: [d3yn.exe] C:\WINDOWS\system32\d3yn.exe
O4 - HKLM\..\RunOnce: [appbw.exe] C:\WINDOWS\appbw.exe
O4 - HKLM\..\RunOnce: [msam32.exe] C:\WINDOWS\msam32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\MOH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ZIPscript.lnk = F:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PRDIE - {46AAA852-5BF1-48ED-9C11-F615F6521D6C} - C:\Program Files\Privacy Defender\prd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F98E05A-8C67-454F-9EE6-B95C5CEAFBFD}: NameServer = 209.94.40.2 209.94.48.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
O23 - Service: Servicio de Agenda de Alejandria (AlexAgenda) - Unknown owner - C:\ALEXANDR\BIN\ALEXAG~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Delete these files when you reach step 6:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clnkr.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E6A8DF75-9B34-005D-4060-2AB82D18D1F5} - C:\WINDOWS\ntna32.dll
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\RunOnce: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunOnce: [ntoa.exe] C:\WINDOWS\ntoa.exe
O4 - HKLM\..\RunOnce: [atlrv.exe] C:\WINDOWS\atlrv.exe
O4 - HKLM\..\RunOnce: [ipfh.exe] C:\WINDOWS\ipfh.exe
O4 - HKLM\..\RunOnce: [sdkdb.exe] C:\WINDOWS\sdkdb.exe
O4 - HKLM\..\RunOnce: [appsj32.exe] C:\WINDOWS\appsj32.exe
O4 - HKLM\..\RunOnce: [iext32.exe] C:\WINDOWS\iext32.exe
O4 - HKLM\..\RunOnce: [sdkgq32.exe] C:\WINDOWS\system32\sdkgq32.exe
O4 - HKLM\..\RunOnce: [mscw32.exe] C:\WINDOWS\system32\mscw32.exe
O4 - HKLM\..\RunOnce: [apiku32.exe] C:\WINDOWS\apiku32.exe
O4 - HKLM\..\RunOnce: [sdkbc.exe] C:\WINDOWS\sdkbc.exe
O4 - HKLM\..\RunOnce: [msfg32.exe] C:\WINDOWS\system32\msfg32.exe
O4 - HKLM\..\RunOnce: [javaoo.exe] C:\WINDOWS\javaoo.exe
O4 - HKLM\..\RunOnce: [crud32.exe] C:\WINDOWS\system32\crud32.exe
O4 - HKLM\..\RunOnce: [d3cr32.exe] C:\WINDOWS\d3cr32.exe
O4 - HKLM\..\RunOnce: [syshv.exe] C:\WINDOWS\syshv.exe
O4 - HKLM\..\RunOnce: [msiv32.exe] C:\WINDOWS\system32\msiv32.exe
O4 - HKLM\..\RunOnce: [msws32.exe] C:\WINDOWS\msws32.exe
O4 - HKLM\..\RunOnce: [winks.exe] C:\WINDOWS\system32\winks.exe
O4 - HKLM\..\RunOnce: [netzk.exe] C:\WINDOWS\netzk.exe
O4 - HKLM\..\RunOnce: [ntna32.exe] C:\WINDOWS\ntna32.exe
O4 - HKLM\..\RunOnce: [addbc32.exe] C:\WINDOWS\system32\addbc32.exe
O4 - HKLM\..\RunOnce: [addqr.exe] C:\WINDOWS\addqr.exe
O4 - HKLM\..\RunOnce: [apion32.exe] C:\WINDOWS\apion32.exe
O4 - HKLM\..\RunOnce: [javayn32.exe] C:\WINDOWS\system32\javayn32.exe
O4 - HKLM\..\RunOnce: [atlyn.exe] C:\WINDOWS\atlyn.exe
O4 - HKLM\..\RunOnce: [syscz.exe] C:\WINDOWS\system32\syscz.exe
O4 - HKLM\..\RunOnce: [apiro32.exe] C:\WINDOWS\apiro32.exe
O4 - HKLM\..\RunOnce: [javabn32.exe] C:\WINDOWS\system32\javabn32.exe
O4 - HKLM\..\RunOnce: [winey32.exe] C:\WINDOWS\system32\winey32.exe
O4 - HKLM\..\RunOnce: [atljd.exe] C:\WINDOWS\atljd.exe
O4 - HKLM\..\RunOnce: [appkd32.exe] C:\WINDOWS\system32\appkd32.exe
O4 - HKLM\..\RunOnce: [appmx.exe] C:\WINDOWS\appmx.exe
O4 - HKLM\..\RunOnce: [msaf32.exe] C:\WINDOWS\msaf32.exe
O4 - HKLM\..\RunOnce: [iply.exe] C:\WINDOWS\iply.exe
O4 - HKLM\..\RunOnce: [d3pa.exe] C:\WINDOWS\d3pa.exe
O4 - HKLM\..\RunOnce: [netjr32.exe] C:\WINDOWS\netjr32.exe
O4 - HKLM\..\RunOnce: [sysck32.exe] C:\WINDOWS\sysck32.exe
O4 - HKLM\..\RunOnce: [winca32.exe] C:\WINDOWS\system32\winca32.exe
O4 - HKLM\..\RunOnce: [apims32.exe] C:\WINDOWS\apims32.exe
O4 - HKLM\..\RunOnce: [sysgr.exe] C:\WINDOWS\sysgr.exe
O4 - HKLM\..\RunOnce: [wintg.exe] C:\WINDOWS\wintg.exe
O4 - HKLM\..\RunOnce: [addtw.exe] C:\WINDOWS\addtw.exe
O4 - HKLM\..\RunOnce: [iejd.exe] C:\WINDOWS\iejd.exe
O4 - HKLM\..\RunOnce: [sdktw32.exe] C:\WINDOWS\system32\sdktw32.exe
O4 - HKLM\..\RunOnce: [d3gy.exe] C:\WINDOWS\d3gy.exe
O4 - HKLM\..\RunOnce: [sdkck32.exe] C:\WINDOWS\system32\sdkck32.exe
O4 - HKLM\..\RunOnce: [syszp32.exe] C:\WINDOWS\syszp32.exe
O4 - HKLM\..\RunOnce: [cryx32.exe] C:\WINDOWS\system32\cryx32.exe
O4 - HKLM\..\RunOnce: [d3yn.exe] C:\WINDOWS\system32\d3yn.exe
O4 - HKLM\..\RunOnce: [appbw.exe] C:\WINDOWS\appbw.exe
O4 - HKLM\..\RunOnce: [msam32.exe] C:\WINDOWS\msam32.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqc32.exe" /s (file missing)
Then delete these files at step 8:
C:\WINDOWS\clnkr.dll
C:\WINDOWS\ntna32.dll
C:\WINDOWS\winfd.exe
C:\WINDOWS\ntmq.exe
C:\WINDOWS\system32\javaxy.exe
C:\WINDOWS\system32\sdkah.exe
C:\WINDOWS\system32\apier32.exe
C:\WINDOWS\system32\sysny32.exe
C:\WINDOWS\ipbs32.exe
C:\WINDOWS\apiqc32.exe
C:\WINDOWS\ntoa.exe
C:\WINDOWS\atlrv.exe
C:\WINDOWS\ipfh.exe
C:\WINDOWS\sdkdb.exe
C:\WINDOWS\appsj32.exe
C:\WINDOWS\iext32.exe
C:\WINDOWS\system32\sdkgq32.exe
C:\WINDOWS\system32\mscw32.exe
C:\WINDOWS\apiku32.exe
C:\WINDOWS\sdkbc.exe
C:\WINDOWS\system32\msfg32.exe
C:\WINDOWS\javaoo.exe
C:\WINDOWS\system32\crud32.exe
C:\WINDOWS\d3cr32.exe
C:\WINDOWS\syshv.exe
C:\WINDOWS\system32\msiv32.exe
C:\WINDOWS\msws32.exe
C:\WINDOWS\system32\winks.exe
C:\WINDOWS\netzk.exe
C:\WINDOWS\ntna32.exe
C:\WINDOWS\system32\addbc32.exe
C:\WINDOWS\addqr.exe
C:\WINDOWS\apion32.exe
C:\WINDOWS\system32\javayn32.exe
C:\WINDOWS\atlyn.exe
C:\WINDOWS\system32\syscz.exe
C:\WINDOWS\apiro32.exe
C:\WINDOWS\system32\javabn32.exe
C:\WINDOWS\system32\winey32.exe
C:\WINDOWS\atljd.exe
C:\WINDOWS\system32\appkd32.exe
C:\WINDOWS\appmx.exe
C:\WINDOWS\msaf32.exe
C:\WINDOWS\iply.exe
C:\WINDOWS\d3pa.exe
C:\WINDOWS\netjr32.exe
C:\WINDOWS\sysck32.exe
C:\WINDOWS\system32\winca32.exe
C:\WINDOWS\apims32.exe
C:\WINDOWS\sysgr.exe
C:\WINDOWS\wintg.exe
C:\WINDOWS\addtw.exe
C:\WINDOWS\iejd.exe
C:\WINDOWS\system32\sdktw32.exe
C:\WINDOWS\d3gy.exe
C:\WINDOWS\system32\sdkck32.exe
C:\WINDOWS\syszp32.exe
C:\WINDOWS\system32\cryx32.exe
C:\WINDOWS\system32\d3yn.exe
C:\WINDOWS\appbw.exe
C:\WINDOWS\msam32.exe
C:\WINDOWS\apiqc32.exe
Then follow the remainder of those steps.
Logfile of HijackThis v1.99.1
Scan saved at 9:19:11 AM, on 07/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ALEXANDR\BIN\ALEXAG~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\ntmq.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\DELLMO~1\MOH.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
F:\NavPress\ZIPscrpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1CA0AD4B-4567-AA75-CB81-8F68F4CB4B17} - C:\WINDOWS\system32\nttc.dll
O2 - BHO: Class - {8D56CC2F-1758-99B5-D05C-F52E0CDE124D} - C:\WINDOWS\system32\d3wu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CC45A0FE-CF49-E741-F7AE-B1F4A6487586} - C:\WINDOWS\addoa.dll
O2 - BHO: Class - {E6A8DF75-9B34-005D-4060-2AB82D18D1F5} - C:\WINDOWS\ntna32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\RunOnce: [crig32.exe] C:\WINDOWS\crig32.exe
O4 - HKLM\..\RunOnce: [ntuq.exe] C:\WINDOWS\ntuq.exe
O4 - HKLM\..\RunOnce: [sdkdb.exe] C:\WINDOWS\sdkdb.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\MOH.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ZIPscript.lnk = F:\NavPress\ZIPscrpt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PRDIE - {46AAA852-5BF1-48ED-9C11-F615F6521D6C} - C:\Program Files\Privacy Defender\prd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_1_0_1.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crig32.exe" /s (file missing)
O23 - Service: Servicio de Agenda de Alejandria (AlexAgenda) - Unknown owner - C:\ALEXANDR\BIN\ALEXAG~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
You will need to print these instructions for your reference as most of this Removal process must be done in safe mode where you will not have access to the internet.
(Skip the steps if you have already performed them)
1. Download CWShredder. Save it to your desktop and extract the files to your desktop.
Exit CWShredder for now.
2. Download aboutbuster. Save it to your desktop and extract the files to your desktop.
Exit aboutbuster for now.
3. Download Ad-Aware SE 1.06 . Save the setup file to your desktop. Run the setup file and place a shortcut on your desktop. Open Ad-Aware and click check for updates>click connect. Click download updates if updates are available.
4. Make all hidden files viewable .
5. Boot up into safe mode. To enter safe mode> reboot> tap the f8 button at the start up screen>select safe mode from the menu.
6. Run Hijack this and place a checkmark next to the following entries. Click “Fix Checked”:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkqzf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnanny.com/p/search?pi=nnh5&qt=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1CA0AD4B-4567-AA75-CB81-8F68F4CB4B17} - C:\WINDOWS\system32\nttc.dll
O2 - BHO: Class - {8D56CC2F-1758-99B5-D05C-F52E0CDE124D} - C:\WINDOWS\system32\d3wu.dll
O2 - BHO: Class - {CC45A0FE-CF49-E741-F7AE-B1F4A6487586} - C:\WINDOWS\addoa.dll
O2 - BHO: Class - {E6A8DF75-9B34-005D-4060-2AB82D18D1F5} - C:\WINDOWS\ntna32.dll
O4 - HKLM\..\Run: [winfd.exe] C:\WINDOWS\winfd.exe
O4 - HKLM\..\Run: [ntmq.exe] C:\WINDOWS\ntmq.exe
O4 - HKLM\..\Run: [javaxy.exe] C:\WINDOWS\system32\javaxy.exe
O4 - HKLM\..\Run: [sdkah.exe] C:\WINDOWS\system32\sdkah.exe
O4 - HKLM\..\Run: [apier32.exe] C:\WINDOWS\system32\apier32.exe
O4 - HKLM\..\Run: [sysny32.exe] C:\WINDOWS\system32\sysny32.exe
O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\ipbs32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25b0d60d40a0f9c1f223/netzip/RdxIE601.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crig32.exe" /s (file missing)
7. Run CWShredder which you downloaded in step 1. Click the “Fix” button.
8. Now delete these files or directories if they exist:
C:\WINDOWS\kkqzf.dll
C:\WINDOWS\system32\nttc.dll
C:\WINDOWS\system32\d3wu.dll
C:\WINDOWS\addoa.dll
C:\WINDOWS\ntna32.dll
C:\WINDOWS\winfd.exe
C:\WINDOWS\ntmq.exe
C:\WINDOWS\system32\javaxy.exe
C:\WINDOWS\system32\sdkah.exe
C:\WINDOWS\system32\apier32.exe
C:\WINDOWS\system32\sysny32.exe
C:\WINDOWS\ipbs32.exe
RdxIE601.cab (search for this file)
C:\WINDOWS\crig32.exe
9. Run aboutbuster which you downloaded in step 2. Click ok>start>ok. Copy and paste the results of the aboutbuster scan to notepad. Save this as a .txt file.
10. Run a “full system scan" with Ad-Aware SE. Remove all files found.
11. Reboot and post a new Hijack This log with the results of the aboutbuster scan.