dezilou - stuck in middle of HSA removal guide
I have been trying to follow the guide so as not to take up valuable time here, but I am stuck. If someone can offer some advice, I would be most grateful.
I got to step 4, did see one of the services listed (Remote Procedure Call (RPC) Helper), however, it was not active and when I right clicked on it I got a message that the file could not be found.
So, I went in to safe mode, still could not find a service to disable.
Finally, I went back to normal mode, downloaded the "Get Active Services.vbs" file, but when I tried to run that, I got another error message:
line: 12
char: 1
error: 0x8004100A
code: 8004100A
source: (null)
So where do I go from here?
Below is the last hijackthis log file that I saved as part of step 1. FYI, prior to that, I did run hsremove (which said it was successful, but was not), AdAware, SpyBot S&D, and did a full scan with Norton Anti-Virus. Several files were identified and removed by each program.
Again, any advice you can offer will be greatly appreciated! Dezilou
Logfile of HijackThis v1.99.1
Scan saved at 10:36:13 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\sysqi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\addzu.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dez\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {029073B0-66F6-D9B0-C24F-8F8330D53834} - C:\WINDOWS\netzd32.dll (file missing)
O2 - BHO: Class - {05A88A23-B9D1-7899-EB64-F4AEB6601F25} - C:\WINDOWS\system32\netni32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F49B46E-A0DA-CDF6-D913-1FAB1FF1A5FC} - C:\WINDOWS\system32\appnx32.dll (file missing)
O2 - BHO: Class - {2ADD1D56-2534-91AF-C52E-680B595C6999} - C:\WINDOWS\system32\iese32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {53735061-B7DB-D058-D5A0-801D03679F8E} - C:\WINDOWS\system32\addzo.dll (file missing)
O2 - BHO: Class - {57FD4D84-8261-8F19-F386-D7902792B1C6} - C:\WINDOWS\system32\apioj.dll (file missing)
O2 - BHO: Class - {5A0FBFB4-9E43-D3EA-1A21-B85429F80041} - C:\WINDOWS\system32\ipyr32.dll (file missing)
O2 - BHO: Class - {64B4C959-F47C-E57E-A0E5-F99C903141A2} - C:\WINDOWS\system32\javabi.dll (file missing)
O2 - BHO: Class - {70C0DFF9-6D20-CC69-6516-900255F1F512} - C:\WINDOWS\iewk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll (file missing)
O2 - BHO: Class - {986EB30A-4B14-6249-1774-A75D9AEAC359} - C:\WINDOWS\system32\iehc.dll (file missing)
O2 - BHO: Class - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - C:\WINDOWS\system32\winwb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C517872A-6D77-8E92-F227-B5714851DA13} - C:\WINDOWS\system32\apiht32.dll
O2 - BHO: Class - {C8F47880-52EF-4AA6-8D33-E43E9369AC13} - C:\WINDOWS\system32\iewy.dll (file missing)
O2 - BHO: Class - {E13962C2-96C6-E39D-08A3-1714DB5A46BC} - C:\WINDOWS\system32\iptb.dll (file missing)
O2 - BHO: Class - {ED7306F6-0886-680B-600C-69DD6DF87ADC} - C:\WINDOWS\system32\syscm32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntua32.exe] C:\WINDOWS\system32\ntua32.exe
O4 - HKLM\..\Run: [86.tmp] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [86.tmp.exe] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WINDOWS\system32\netat32.exe
O4 - HKLM\..\Run: [apiei32.exe] C:\WINDOWS\apiei32.exe
O4 - HKLM\..\Run: [sdktb32.exe] C:\WINDOWS\system32\sdktb32.exe
O4 - HKLM\..\Run: [addzu.exe] C:\WINDOWS\system32\addzu.exe
O4 - HKLM\..\RunOnce: [sysqi.exe] C:\WINDOWS\system32\sysqi.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENWDELUX\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENWDELUX\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENWDELUX\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.senate.michigan.gov/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I got to step 4, did see one of the services listed (Remote Procedure Call (RPC) Helper), however, it was not active and when I right clicked on it I got a message that the file could not be found.
So, I went in to safe mode, still could not find a service to disable.
Finally, I went back to normal mode, downloaded the "Get Active Services.vbs" file, but when I tried to run that, I got another error message:
line: 12
char: 1
error: 0x8004100A
code: 8004100A
source: (null)
So where do I go from here?
Below is the last hijackthis log file that I saved as part of step 1. FYI, prior to that, I did run hsremove (which said it was successful, but was not), AdAware, SpyBot S&D, and did a full scan with Norton Anti-Virus. Several files were identified and removed by each program.
Again, any advice you can offer will be greatly appreciated! Dezilou
Logfile of HijackThis v1.99.1
Scan saved at 10:36:13 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\sysqi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\addzu.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dez\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {029073B0-66F6-D9B0-C24F-8F8330D53834} - C:\WINDOWS\netzd32.dll (file missing)
O2 - BHO: Class - {05A88A23-B9D1-7899-EB64-F4AEB6601F25} - C:\WINDOWS\system32\netni32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1F49B46E-A0DA-CDF6-D913-1FAB1FF1A5FC} - C:\WINDOWS\system32\appnx32.dll (file missing)
O2 - BHO: Class - {2ADD1D56-2534-91AF-C52E-680B595C6999} - C:\WINDOWS\system32\iese32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {53735061-B7DB-D058-D5A0-801D03679F8E} - C:\WINDOWS\system32\addzo.dll (file missing)
O2 - BHO: Class - {57FD4D84-8261-8F19-F386-D7902792B1C6} - C:\WINDOWS\system32\apioj.dll (file missing)
O2 - BHO: Class - {5A0FBFB4-9E43-D3EA-1A21-B85429F80041} - C:\WINDOWS\system32\ipyr32.dll (file missing)
O2 - BHO: Class - {64B4C959-F47C-E57E-A0E5-F99C903141A2} - C:\WINDOWS\system32\javabi.dll (file missing)
O2 - BHO: Class - {70C0DFF9-6D20-CC69-6516-900255F1F512} - C:\WINDOWS\iewk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll (file missing)
O2 - BHO: Class - {986EB30A-4B14-6249-1774-A75D9AEAC359} - C:\WINDOWS\system32\iehc.dll (file missing)
O2 - BHO: Class - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - C:\WINDOWS\system32\winwb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C517872A-6D77-8E92-F227-B5714851DA13} - C:\WINDOWS\system32\apiht32.dll
O2 - BHO: Class - {C8F47880-52EF-4AA6-8D33-E43E9369AC13} - C:\WINDOWS\system32\iewy.dll (file missing)
O2 - BHO: Class - {E13962C2-96C6-E39D-08A3-1714DB5A46BC} - C:\WINDOWS\system32\iptb.dll (file missing)
O2 - BHO: Class - {ED7306F6-0886-680B-600C-69DD6DF87ADC} - C:\WINDOWS\system32\syscm32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntua32.exe] C:\WINDOWS\system32\ntua32.exe
O4 - HKLM\..\Run: [86.tmp] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [86.tmp.exe] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WINDOWS\system32\netat32.exe
O4 - HKLM\..\Run: [apiei32.exe] C:\WINDOWS\apiei32.exe
O4 - HKLM\..\Run: [sdktb32.exe] C:\WINDOWS\system32\sdktb32.exe
O4 - HKLM\..\Run: [addzu.exe] C:\WINDOWS\system32\addzu.exe
O4 - HKLM\..\RunOnce: [sysqi.exe] C:\WINDOWS\system32\sysqi.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENWDELUX\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENWDELUX\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENWDELUX\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.senate.michigan.gov/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
This discussion has been closed.
Comments
Can you do the following:
Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet
Download CWShredder from here, install it, check for updates but again, don't use it yet.
Download and install Ewido Security Suite Trial from here. Run and update the program but do not scan with it yet.
Ensure hidden files and folders are set to show;
Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.
Go into Safe Mode - explained here
==========
ONCE IN SAFE MODE
==========
Open CWShredder that you downloaded previously. Close all browser windows and click on the FIX button.
---
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\system32\sysqi.exe
C:\WINDOWS\system32\ntua32.exe
C:\WINDOWS\system32\sdkyi32.exe
C:\WINDOWS\system32\netat32.exe
C:\WINDOWS\system32\sdktb32.exe
C:\WINDOWS\system32\addzu.exe
C:\WINDOWS\apiei32.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
---
- Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
- Close ALL open windows
- Click Fix Checked
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {029073B0-66F6-D9B0-C24F-8F8330D53834} - C:\WINDOWS\netzd32.dll (file missing)
O2 - BHO: Class - {05A88A23-B9D1-7899-EB64-F4AEB6601F25} - C:\WINDOWS\system32\netni32.dll (file missing)
O2 - BHO: Class - {1F49B46E-A0DA-CDF6-D913-1FAB1FF1A5FC} - C:\WINDOWS\system32\appnx32.dll (file missing)
O2 - BHO: Class - {2ADD1D56-2534-91AF-C52E-680B595C6999} - C:\WINDOWS\system32\iese32.dll
O2 - BHO: Class - {53735061-B7DB-D058-D5A0-801D03679F8E} - C:\WINDOWS\system32\addzo.dll (file missing)
O2 - BHO: Class - {57FD4D84-8261-8F19-F386-D7902792B1C6} - C:\WINDOWS\system32\apioj.dll (file missing)
O2 - BHO: Class - {5A0FBFB4-9E43-D3EA-1A21-B85429F80041} - C:\WINDOWS\system32\ipyr32.dll (file missing)
O2 - BHO: Class - {64B4C959-F47C-E57E-A0E5-F99C903141A2} - C:\WINDOWS\system32\javabi.dll (file missing)
O2 - BHO: Class - {70C0DFF9-6D20-CC69-6516-900255F1F512} - C:\WINDOWS\iewk.dll (file missing)
O2 - BHO: Class - {C8F47880-52EF-4AA6-8D33-E43E9369AC13} - C:\WINDOWS\system32\iewy.dll (file missing)
O2 - BHO: Class - {E13962C2-96C6-E39D-08A3-1714DB5A46BC} - C:\WINDOWS\system32\iptb.dll (file missing)
O2 - BHO: Class - {ED7306F6-0886-680B-600C-69DD6DF87ADC} - C:\WINDOWS\system32\syscm32.dll (file missing)
O2 - BHO: Class - {9600C465-7C6A-0B9C-2B1E-DA75DD1BD842} - C:\WINDOWS\system32\iegc32.dll (file missing)
O2 - BHO: Class - {986EB30A-4B14-6249-1774-A75D9AEAC359} - C:\WINDOWS\system32\iehc.dll (file missing)
O2 - BHO: Class - {A927D1F4-E735-581F-E8AF-CE5C50848FE7} - C:\WINDOWS\system32\winwb.dll (file missing)
O2 - BHO: Class - {C517872A-6D77-8E92-F227-B5714851DA13} - C:\WINDOWS\system32\apiht32.dll
O4 - HKLM\..\Run: [ntua32.exe] C:\WINDOWS\system32\ntua32.exe
O4 - HKLM\..\Run: [86.tmp] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [86.tmp.exe] C:\DOCUME~1\Zach\LOCALS~1\Temp\86.tmp.exe
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe
O4 - HKLM\..\Run: [netat32.exe] C:\WINDOWS\system32\netat32.exe
O4 - HKLM\..\Run: [apiei32.exe] C:\WINDOWS\apiei32.exe
O4 - HKLM\..\Run: [sdktb32.exe] C:\WINDOWS\system32\sdktb32.exe
O4 - HKLM\..\Run: [addzu.exe] C:\WINDOWS\system32\addzu.exe
O4 - HKLM\..\RunOnce: [sysqi.exe] C:\WINDOWS\system32\sysqi.exe
---
Find and Delete the following files:
C:\WINDOWS\system32\iese32.dll
C:\WINDOWS\system32\apiht32.dll
C:\WINDOWS\system32\sdkyi32.exe
C:\WINDOWS\system32\ntua32.exe
C:\WINDOWS\system32\sysqi.exe
C:\WINDOWS\system32\sdktb32.exe
C:\WINDOWS\system32\addzu.exe
C:\WINDOWS\apiei32.exe
---
The following step is important as you may have several malware files in your temp directories.
Browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.
---
Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.
---
Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.
Now reboot, and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.
Thank you so much for your advice. I did as requested.
One note - I was not able to access the Temp folder for one of the users on this computer. I got a message saying "not accessable - access denied".
Again, I really appreciate your help!
Here are the new logs.
Logfile of HijackThis v1.99.1
Scan saved at 6:49:04 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\ewido anti-malware\ewidoctrl.exe
C:\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dez\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {8C37CE85-E67C-F18B-CE91-D1A3DD83F51E} - C:\WINDOWS\javaha.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {B550E44A-A371-83DE-2CDF-619537449A87} - C:\WINDOWS\crtc32.dll (file missing)
O2 - BHO: Class - {BA679214-0293-36CC-8A69-B7567B9E2FAA} - C:\WINDOWS\mfcvf32.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {BE37410F-1690-DCC0-B063-5E4D232123E5} - C:\WINDOWS\d3pe.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENWDELUX\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENWDELUX\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENWDELUX\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.senate.michigan.gov/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
AboutBuster 6.0
Scan started on [1/21/2006] at [5:16:44 PM]
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
Removed Stream! C:\WINDOWS\Q811493.log:ekzoz
Removed Stream! C:\WINDOWS\stub16.ini:kdiyd
Removed Stream! C:\WINDOWS\stub66.ini:mlqexv
Removed Stream! C:\WINDOWS\stub69.ini:fmjsrg
Removed File! : C:\WINDOWS\qnfix.txt
Removed File! : C:\WINDOWS\sivnb.log
Removed File! : C:\WINDOWS\thpha.txt
Removed File! : C:\WINDOWS\winnb.exe
Removed File! : C:\WINDOWS\wxrcz.dll
Removed File! : C:\WINDOWS\system32\afbqr.txt
Removed File! : C:\WINDOWS\system32\apigu.exe
Removed File! : C:\WINDOWS\system32\appfs.exe
Removed File! : C:\WINDOWS\system32\bdqdw.txt
Removed File! : C:\WINDOWS\system32\bsgjv.dll
Removed File! : C:\WINDOWS\system32\ehxsu.dll
Removed File! : C:\WINDOWS\system32\farjp.log
Removed File! : C:\WINDOWS\system32\jageq.dll
Removed File! : C:\WINDOWS\system32\javayr.exe
Removed File! : C:\WINDOWS\system32\msbh32.exe
Removed File! : C:\WINDOWS\system32\pmidd.dll
Removed File! : C:\WINDOWS\system32\sdhch.dat
Removed File! : C:\WINDOWS\system32\sysku32.exe
Removed File! : C:\WINDOWS\system32\vqtvy.dat
Removed File! : C:\WINDOWS\system32\winhu.exe
Removed File! : C:\WINDOWS\system32\wmzbd.log
Removed File! : C:\WINDOWS\system32\xlgsa.log
Removed File! : C:\WINDOWS\system32\yaryg.log
Removed Temp Files
Internet Explorer Settings Reset!
Scan was COMPLETED SUCCESSFULLY at 5:24:41 PM
ewido anti-malware - Scan report
+ Created on: 6:32:53 PM, 1/21/2006
+ Report-Checksum: ABA9CEAA
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{21F8F0E0-D881-0FBC-CD1D-D1F30C3905B4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E2B347A-52AA-597F-9371-80822A8D1263} -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Dez\Application Data\Mozilla\Firefox\Profiles\yo6iq6x1.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Dez\Application Data\Netscape\NSB\Profiles\a7jiv7qh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Dez\Application Data\Netscape\NSB\Profiles\a7jiv7qh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Dez\Application Data\Netscape\NSB\Profiles\a7jiv7qh.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Dez\Cookies\dez@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dez\Desktop\hijackthis\backups\backup-20060121-170417-180.dll -> Downloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Dez\Desktop\hijackthis\backups\backup-20060121-170417-504.dll -> Downloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Dez\Desktop\hijackthis\backups\backup-20060121-170417-898.dll -> Downloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Rachael\Cookies\rachael@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\MediaPipe\insdl.dll -> Spyware.MetaDirect : Cleaned with backup
C:\Program Files\MediaPipe\ItBill.exe -> Backdoor.Agent.so : Cleaned with backup
C:\Program Files\MediaPipe\register.dll -> Spyware.MetaDirect : Cleaned with backup
C:\RECYCLER\S-1-5-21-1111733560-2346794250-4145222142-1006\Dc1.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-1111733560-2346794250-4145222142-1006\Dc1304.exe -> Adware.SaveNow : Cleaned with backup
C:\RECYCLER\S-1-5-21-1111733560-2346794250-4145222142-1006\Dc2.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\SYSTEM32\richtx.dll -> Logger.IamBigBrother.91 : Cleaned with backup
::Report End
Can you do the following:
Go to Add/Remove programs in Control Panel and look for the following
MediaPipe P2P Loader
Spyware Cleaner
If found, please uninstall.
=====
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
- Close ALL open windows
Click Fix Checked
O2 - BHO: Class - {8C37CE85-E67C-F18B-CE91-D1A3DD83F51E} - C:\WINDOWS\javaha.dll (file missing)
O2 - BHO: Class - {B550E44A-A371-83DE-2CDF-619537449A87} - C:\WINDOWS\crtc32.dll (file missing)
O2 - BHO: Class - {BA679214-0293-36CC-8A69-B7567B9E2FAA} - C:\WINDOWS\mfcvf32.dll (file missing)
O2 - BHO: Class - {BE37410F-1690-DCC0-B063-5E4D232123E5} - C:\WINDOWS\d3pe.dll (file missing)
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
=====
Find and Delete the following:
C:\Program Files\p2pnetworks << this file
C:\Program Files\Spyware Cleaner << this file
=====
Reboot and post a new HJT log
How are things?
I followed you latest suggestions without any problem, till I got to deleting c:\Program Files\p2pnetworks . I tried deleting the whole folder, and got a message saying "can not delete alp2plib.log. It is being used by another person or program. Close any programs that might be using the file and try again".
I opened the folder and tried to delete the .exe file from there. Got a message that access was denied.
So I rebooted. Here is the new HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 9:12:35 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\ewido anti-malware\ewidoctrl.exe
C:\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Dez\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENWDELUX\billmind.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENWDELUX\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENWDELUX\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.senate.michigan.gov/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thank you once again!
Instruction for getting into Safe Mode can be found HERE.
==
Can you remove this entry with HJT
O4 - Startup: PowerReg Scheduler.exe
These entries are broken links, so they are optional.
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
==
Let me know how things go and then we can finish this off
I did however find a MediaPipe folder, so I deleted it.
A new HJT scan in safe mode did not show any of the older 02 or 04 files. I did check and fix the PowerReg Scheduler and the broken links. When I did so, I got an error message:
Unexpected Error occurred. Error 52 (bad file name or number) in sub GetLongPath (?.exe).
Please send an Email to merijn@spywareinfo.com and mention what you were doing and what version of windows you are running.
This message has been copied to your clipboard.
I clicked on OK, closed the program, opened it again, scanned again, and all the files seemed to be gone, so I closed it again.
Is this error message legit and should I send an email?
I also want to ask you about one item still on the list. It is an 02 - BHO (noname) and the file name is SDHelper.dll. Is this file OK? I thought I read somewhere that some malware co-opts the names of legit programs but that the (noname) is a giveaway?
That is it. Here is my latest HJT log - and once again my sincere thanks!
I could never have done this without your help!
After I get this cleaned up, I need to understand better how to keep my machine secure with two teen-agers also using it. This forum has been a big help in that regard too!
Logfile of HijackThis v1.99.1
Scan saved at 10:08:02 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\ewido anti-malware\ewidoctrl.exe
C:\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Dez\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENWDELUX\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENWDELUX\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENWDELUX\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.senate.michigan.gov/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
That message is fine. It occasionaly comes when fixing broken links with HJT.
This entry is perfectly safe. It belongs to SpyBot Search & Destroy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
Your HJT is clean
Now that your PC is clean, follow these easy steps to keeping it this way:
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC's control being usurped by undesireables.
Install and keep updated, Ad-Aware SE, and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.
Install and keep updated, SpywareBlaster 3.5.1
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Read the article So How Did I get Infected In The First Place
Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start>Run and type msconfig. Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
Please consider joining the Folding@Home Project
Join our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
MORE INFO: READ THIS
This has been a big headache for me and lots of hours to try and beat. And you do this for many many others. You are to be commended.
I will be checking out "folding" with an eye to beginning yet this weekend.
And I would recommend you highly to anyone.
Thanks Thanks Thanks
Stick around in the forums, it's a great place with plenty of friendly people.
I'm closing this thread. If you need help again, then start a new one