MY HJS log, please help?

Violesnature05 · 09-28-2004, 04:05 PM

-HJS log below-

I am almost certain that my computer is deeply infected by adware and malware. Please help me remove it. I already have ADWare and cwsShredder and neither is working. I am not completely sure I have CWS or not but I am pretty sure I have some other hijacking software or adware that I can not remove. Task manager shows the following programs that I have found to be or be associated with adware/malware:
pib.exe
tbps.exe
wsup.exe

Please help, no rush take your time:

Logfile of HijackThis v1.98.2
Scan saved at 6:57:47 PM, on 9/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\apivg32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system32\appal.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\HJS\HijackThis.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50028
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dhhqp.dll/index.html#1647718949
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\sfkgl.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\sfkgl.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3086B2A-B4F9-BDB1-7B86-AF5F1A488219} - C:\WINDOWS\ieem.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [appal.exe] C:\WINDOWS\system32\appal.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\sdknn32.exe
O4 - HKLM\..\RunOnce: [addin.exe] C:\WINDOWS\system32\addin.exe
O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe
O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe
O4 - HKLM\..\RunOnce: [winch32.exe] C:\WINDOWS\system32\winch32.exe
O4 - HKLM\..\RunOnce: [javakm32.exe] C:\WINDOWS\javakm32.exe
O4 - HKLM\..\RunOnce: [mspr.exe] C:\WINDOWS\mspr.exe
O4 - HKLM\..\RunOnce: [d3kb32.exe] C:\WINDOWS\d3kb32.exe
O4 - HKLM\..\RunOnce: [sysds32.exe] C:\WINDOWS\sysds32.exe
O4 - HKLM\..\RunOnce: [sdkrs.exe] C:\WINDOWS\system32\sdkrs.exe
O4 - HKLM\..\RunOnce: [ipxd32.exe] C:\WINDOWS\system32\ipxd32.exe
O4 - HKLM\..\RunOnce: [javare32.exe] C:\WINDOWS\javare32.exe
O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\system32\atlct.exe
O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\sdkch.exe
O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe
O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\d3fi32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0b\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69431988-77FE-4514-99E3-477407A9849A}: NameServer = 207.69.188.187 207.69.188.186
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

greyknight17 · 09-29-2004, 09:36 AM

Welcome to TSF.

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\apivg32.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system32\appal.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPS.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Wintools - any entry that has this word in it
P2P Networking
AceGain
GMT

WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. If you installed this yourself and want to keep it, you may ignore all the fixes regarding it. Otherwise, uninstall it and follow all the fixes below for it.

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50028
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dhhqp.dll/index.html#1647718949
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\sfkgl.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\sfkgl.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sfkgl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D3086B2A-B4F9-BDB1-7B86-AF5F1A488219} - C:\WINDOWS\ieem.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [appal.exe] C:\WINDOWS\system32\appal.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\sdknn32.exe
O4 - HKLM\..\RunOnce: [addin.exe] C:\WINDOWS\system32\addin.exe
O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe
O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe
O4 - HKLM\..\RunOnce: [winch32.exe] C:\WINDOWS\system32\winch32.exe
O4 - HKLM\..\RunOnce: [javakm32.exe] C:\WINDOWS\javakm32.exe
O4 - HKLM\..\RunOnce: [mspr.exe] C:\WINDOWS\mspr.exe
O4 - HKLM\..\RunOnce: [d3kb32.exe] C:\WINDOWS\d3kb32.exe
O4 - HKLM\..\RunOnce: [sysds32.exe] C:\WINDOWS\sysds32.exe
O4 - HKLM\..\RunOnce: [sdkrs.exe] C:\WINDOWS\system32\sdkrs.exe
O4 - HKLM\..\RunOnce: [ipxd32.exe] C:\WINDOWS\system32\ipxd32.exe
O4 - HKLM\..\RunOnce: [javare32.exe] C:\WINDOWS\javare32.exe
O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\system32\atlct.exe
O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\sdkch.exe
O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe
O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\d3fi32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\apivg32.exe
C:\Program Files\Common Files\WinTools\
C:\WINDOWS\system32\appal.exe
C:\PROGRA~1\Toolbar\
C:\WINDOWS\sfkgl.dll
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\WildTangent\
C:\Program Files\AWS\ - only delete if you uninstalled WeatherBug
C:\Program Files\AceGain\
C:\Program Files\Common Files\GMT\

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED - most should be deleted by now already.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided.

Violesnature05 · 09-29-2004, 02:45 PM

Newest Highjackthis log below:
(Right Below is the AboutBuster Log)
Both were run right when told to. Thanks for your help. I will check back asap to see if you have posted ^^.

Logfile of HijackThis v1.98.2
Scan saved at 5:40:46 PM, on 9/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\apivg32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\RUNDLL32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\America Online 7.0b\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJS\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crng32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0b\aoltray.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

----------About Buster-------
Scanned at: 5:12:59 PM on: 9/29/2004

-- Scan 1 ---------------------------
about:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 4 Random Key Entries
Deleted 2 Service Keys Successfully!
Removed! : C:\WINDOWS\addic.exe
Removed! : C:\WINDOWS\apikz.exe
Removed! : C:\WINDOWS\aqktg.dat
Removed! : C:\WINDOWS\atlyo.exe
Removed! : C:\WINDOWS\azouey.dat
Removed! : C:\WINDOWS\bcyqzf.dat
Removed! : C:\WINDOWS\bitjd.dat
Removed! : C:\WINDOWS\d3gt.exe
Removed! : C:\WINDOWS\d3kb32.exe
Removed! : C:\WINDOWS\faiej.dat
Removed! : C:\WINDOWS\fepkc.dat
Removed! : C:\WINDOWS\ghcns.dat
Removed! : C:\WINDOWS\gxgyk.dat
Removed! : C:\WINDOWS\javaet32.exe
Removed! : C:\WINDOWS\javare32.exe
Removed! : C:\WINDOWS\kehmp.dat
Removed! : C:\WINDOWS\kpxwu.dat
Removed! : C:\WINDOWS\llava.dll
Removed! : C:\WINDOWS\mfcpp32.exe
Removed! : C:\WINDOWS\mspr.exe
Removed! : C:\WINDOWS\naauv.dat
Removed! : C:\WINDOWS\netcj.exe
Removed! : C:\WINDOWS\ntno32.exe
Removed! : C:\WINDOWS\n_bublje.dat
Removed! : C:\WINDOWS\n_euvaax.dat
Error Removing! : C:\WINDOWS\n_fkzdwq.dat
Error Removing! : C:\WINDOWS\n_nvqksw.dat
Removed! : C:\WINDOWS\n_ybtdaq.dat
Error Removing! : C:\WINDOWS\n_ygzzbt.dat
Removed! : C:\WINDOWS\n_yuadsn.dat
Removed! : C:\WINDOWS\ornti.dat
Removed! : C:\WINDOWS\puidz.dat
Removed! : C:\WINDOWS\qlwvs.dat
Removed! : C:\WINDOWS\rrfyh.dll
Removed! : C:\WINDOWS\sdkau.exe
Removed! : C:\WINDOWS\senge.dat
Removed! : C:\WINDOWS\sezfa.dat
Removed! : C:\WINDOWS\sqytpx.dat
Removed! : C:\WINDOWS\sysds32.exe
Removed! : C:\WINDOWS\sysdw32.exe
Removed! : C:\WINDOWS\sysqs32.exe
Removed! : C:\WINDOWS\teduo.dat
Removed! : C:\WINDOWS\tiqbr.dll
Removed! : C:\WINDOWS\tuyrj.dat
Removed! : C:\WINDOWS\twyma.dat
Removed! : C:\WINDOWS\tycafw.dat
Removed! : C:\WINDOWS\ugwnz.dat
Removed! : C:\WINDOWS\ujnosc.dat
Removed! : C:\WINDOWS\uvrdv.dat
Removed! : C:\WINDOWS\xnabq.dat
Removed! : C:\WINDOWS\yjgaa.dll
Removed! : C:\WINDOWS\ynnxuq.dat
Removed! : C:\WINDOWS\yzfiw.dat
Removed! : C:\WINDOWS\zmdal.dat
Removed! : C:\WINDOWS\zsbyf.dat
Removed! : C:\WINDOWS\System32\addqd.exe
Removed! : C:\WINDOWS\System32\apptg.exe
Removed! : C:\WINDOWS\System32\appyu.exe
Removed! : C:\WINDOWS\System32\atlct.exe
Removed! : C:\WINDOWS\System32\bsczt.dat
Removed! : C:\WINDOWS\System32\bwwyh.dat
Removed! : C:\WINDOWS\System32\ctrlr.dat
Removed! : C:\WINDOWS\System32\ecdzg.dll
Removed! : C:\WINDOWS\System32\emqzs.dat
Removed! : C:\WINDOWS\System32\emxbl.dat
Removed! : C:\WINDOWS\System32\evabl.dat
Removed! : C:\WINDOWS\System32\fhehc.dat
Removed! : C:\WINDOWS\System32\gviox.dat
Removed! : C:\WINDOWS\System32\hijxf.dat
Removed! : C:\WINDOWS\System32\iphz32.exe
Removed! : C:\WINDOWS\System32\ipxd32.exe
Removed! : C:\WINDOWS\System32\javack.dll
Removed! : C:\WINDOWS\System32\javapg32.exe
Removed! : C:\WINDOWS\System32\javapr32.exe
Removed! : C:\WINDOWS\System32\jlprk.dat
Removed! : C:\WINDOWS\System32\jnvin.dat
Removed! : C:\WINDOWS\System32\kbdnb.dat
Removed! : C:\WINDOWS\System32\koebr.dat
Removed! : C:\WINDOWS\System32\mfcah.exe
Removed! : C:\WINDOWS\System32\netzf32.exe
Removed! : C:\WINDOWS\System32\ntzy32.exe
Removed! : C:\WINDOWS\System32\owqxf.dat
Removed! : C:\WINDOWS\System32\pguyz.dat
Removed! : C:\WINDOWS\System32\pooja.dat
Removed! : C:\WINDOWS\System32\qdrnc.dat
Removed! : C:\WINDOWS\System32\rcsne.dat
Removed! : C:\WINDOWS\System32\sdkrs.exe
Removed! : C:\WINDOWS\System32\tbssl.dat
Removed! : C:\WINDOWS\System32\tidnf.dat
Removed! : C:\WINDOWS\System32\winzc.exe
Removed! : C:\WINDOWS\System32\wyhml.dat
Removed! : C:\WINDOWS\System32\xuzyz.dat
Removed! : C:\WINDOWS\System32\yawbe.dat
Removed! : C:\WINDOWS\System32\yftzp.dat
Removed! : C:\WINDOWS\System32\yivus.dat
Removed! : C:\WINDOWS\System32\zwhje.dat
Removed! : C:\WINDOWS\System32\zztur.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
about:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\n_fkzdwq.dat
Removed! : C:\WINDOWS\n_nvqksw.dat
Removed! : C:\WINDOWS\n_ygzzbt.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

Thanks again

greyknight17 · 10-01-2004, 08:12 AM

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\apivg32.exe

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crng32.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\apivg32.exe
C:\WINDOWS\system32\crng32.dll

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.

09-28-2004, 04:05 PM	#1 (permalink)
Violesnature05 Registered User Join Date: Sep 2004 Posts: 2 OS: XP	MY HJS log, please help? -HJS log below- I am almost certain that my computer is deeply infected by adware and malware. Please help me remove it. I already have ADWare and cwsShredder and neither is working. I am not completely sure I have CWS or not but I am pretty sure I have some other hijacking software or adware that I can not remove. Task manager shows the following programs that I have found to be or be associated with adware/malware: pib.exe tbps.exe wsup.exe Please help, no rush take your time: Logfile of HijackThis v1.98.2 Scan saved at 6:57:47 PM, on 9/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehSched.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\apivg32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\ehome\ehtray.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe C:\WINDOWS\system32\appal.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\Toolbar\PIB.exe C:\PROGRA~1\Toolbar\TBPS.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\HJS\HijackThis.exe C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50028 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dhhqp.dll/index.html#1647718949 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\sfkgl.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\sfkgl.dll/index.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D3086B2A-B4F9-BDB1-7B86-AF5F1A488219} - C:\WINDOWS\ieem.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [appal.exe] C:\WINDOWS\system32\appal.exe O4 - HKLM\..\Run: [EarthLink Installer] " /C O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe" O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\sdknn32.exe O4 - HKLM\..\RunOnce: [addin.exe] C:\WINDOWS\system32\addin.exe O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe O4 - HKLM\..\RunOnce: [winch32.exe] C:\WINDOWS\system32\winch32.exe O4 - HKLM\..\RunOnce: [javakm32.exe] C:\WINDOWS\javakm32.exe O4 - HKLM\..\RunOnce: [mspr.exe] C:\WINDOWS\mspr.exe O4 - HKLM\..\RunOnce: [d3kb32.exe] C:\WINDOWS\d3kb32.exe O4 - HKLM\..\RunOnce: [sysds32.exe] C:\WINDOWS\sysds32.exe O4 - HKLM\..\RunOnce: [sdkrs.exe] C:\WINDOWS\system32\sdkrs.exe O4 - HKLM\..\RunOnce: [ipxd32.exe] C:\WINDOWS\system32\ipxd32.exe O4 - HKLM\..\RunOnce: [javare32.exe] C:\WINDOWS\javare32.exe O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\system32\atlct.exe O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\sdkch.exe O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\d3fi32.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0b\aoltray.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{69431988-77FE-4514-99E3-477407A9849A}: NameServer = 207.69.188.187 207.69.188.186 O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

09-29-2004, 09:36 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download AboutBuster and unzip it to a folder on your the Desktop. Do not run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\apivg32.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe C:\WINDOWS\system32\appal.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\PROGRA~1\Toolbar\PIB.exe C:\PROGRA~1\Toolbar\TBPS.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Wintools - any entry that has this word in it P2P Networking AceGain GMT WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below. WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. If you installed this yourself and want to keep it, you may ignore all the fixes regarding it. Otherwise, uninstall it and follow all the fixes below for it. Check and fix the following in HijackThis if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50028 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dhhqp.dll/index.html#1647718949 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\sfkgl.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\sfkgl.dll/index.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sfkgl.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50028 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll O2 - BHO: (no name) - {D3086B2A-B4F9-BDB1-7B86-AF5F1A488219} - C:\WINDOWS\ieem.dll O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [appal.exe] C:\WINDOWS\system32\appal.exe O4 - HKLM\..\Run: [EarthLink Installer] " /C O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\sdknn32.exe O4 - HKLM\..\RunOnce: [addin.exe] C:\WINDOWS\system32\addin.exe O4 - HKLM\..\RunOnce: [apiwe.exe] C:\WINDOWS\apiwe.exe O4 - HKLM\..\RunOnce: [addbz.exe] C:\WINDOWS\system32\addbz.exe O4 - HKLM\..\RunOnce: [winch32.exe] C:\WINDOWS\system32\winch32.exe O4 - HKLM\..\RunOnce: [javakm32.exe] C:\WINDOWS\javakm32.exe O4 - HKLM\..\RunOnce: [mspr.exe] C:\WINDOWS\mspr.exe O4 - HKLM\..\RunOnce: [d3kb32.exe] C:\WINDOWS\d3kb32.exe O4 - HKLM\..\RunOnce: [sysds32.exe] C:\WINDOWS\sysds32.exe O4 - HKLM\..\RunOnce: [sdkrs.exe] C:\WINDOWS\system32\sdkrs.exe O4 - HKLM\..\RunOnce: [ipxd32.exe] C:\WINDOWS\system32\ipxd32.exe O4 - HKLM\..\RunOnce: [javare32.exe] C:\WINDOWS\javare32.exe O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\system32\atlct.exe O4 - HKLM\..\RunOnce: [sdkch.exe] C:\WINDOWS\sdkch.exe O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\d3fi32.exe O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\apivg32.exe C:\Program Files\Common Files\WinTools\ C:\WINDOWS\system32\appal.exe C:\PROGRA~1\Toolbar\ C:\WINDOWS\sfkgl.dll C:\WINDOWS\System32\P2P Networking\ C:\Program Files\WildTangent\ C:\Program Files\AWS\ - only delete if you uninstalled WeatherBug C:\Program Files\AceGain\ C:\Program Files\Common Files\GMT\ Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED - most should be deleted by now already. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-01-2004, 08:12 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\apivg32.exe Check and fix the following in HijackThis if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crng32.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\apivg32.exe C:\WINDOWS\system32\crng32.dll Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

09-29-2004, 02:45 PM	#3 (permalink)
Violesnature05 Registered User Join Date: Sep 2004 Posts: 2 OS: XP	Newest Highjackthis log below: (Right Below is the AboutBuster Log) Both were run right when told to. Thanks for your help. I will check back asap to see if you have posted ^^. Logfile of HijackThis v1.98.2 Scan saved at 5:40:46 PM, on 9/29/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehSched.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\apivg32.exe C:\WINDOWS\ehome\ehtray.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.EXE c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\RUNDLL32.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\mozilla.org\Mozilla\Mozilla.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\America Online 7.0b\aoltray.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Messenger\msmsgs.exe C:\HJS\HijackThis.exe C:\WINDOWS\System32\HPZipm12.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crng32.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0b\aoltray.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt1_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll ----------About Buster------- Scanned at: 5:12:59 PM on: 9/29/2004 -- Scan 1 --------------------------- about:Buster Version 3.0 Reference List : 15 No ADS found on system Removed 4 Random Key Entries Deleted 2 Service Keys Successfully! Removed! : C:\WINDOWS\addic.exe Removed! : C:\WINDOWS\apikz.exe Removed! : C:\WINDOWS\aqktg.dat Removed! : C:\WINDOWS\atlyo.exe Removed! : C:\WINDOWS\azouey.dat Removed! : C:\WINDOWS\bcyqzf.dat Removed! : C:\WINDOWS\bitjd.dat Removed! : C:\WINDOWS\d3gt.exe Removed! : C:\WINDOWS\d3kb32.exe Removed! : C:\WINDOWS\faiej.dat Removed! : C:\WINDOWS\fepkc.dat Removed! : C:\WINDOWS\ghcns.dat Removed! : C:\WINDOWS\gxgyk.dat Removed! : C:\WINDOWS\javaet32.exe Removed! : C:\WINDOWS\javare32.exe Removed! : C:\WINDOWS\kehmp.dat Removed! : C:\WINDOWS\kpxwu.dat Removed! : C:\WINDOWS\llava.dll Removed! : C:\WINDOWS\mfcpp32.exe Removed! : C:\WINDOWS\mspr.exe Removed! : C:\WINDOWS\naauv.dat Removed! : C:\WINDOWS\netcj.exe Removed! : C:\WINDOWS\ntno32.exe Removed! : C:\WINDOWS\n_bublje.dat Removed! : C:\WINDOWS\n_euvaax.dat Error Removing! : C:\WINDOWS\n_fkzdwq.dat Error Removing! : C:\WINDOWS\n_nvqksw.dat Removed! : C:\WINDOWS\n_ybtdaq.dat Error Removing! : C:\WINDOWS\n_ygzzbt.dat Removed! : C:\WINDOWS\n_yuadsn.dat Removed! : C:\WINDOWS\ornti.dat Removed! : C:\WINDOWS\puidz.dat Removed! : C:\WINDOWS\qlwvs.dat Removed! : C:\WINDOWS\rrfyh.dll Removed! : C:\WINDOWS\sdkau.exe Removed! : C:\WINDOWS\senge.dat Removed! : C:\WINDOWS\sezfa.dat Removed! : C:\WINDOWS\sqytpx.dat Removed! : C:\WINDOWS\sysds32.exe Removed! : C:\WINDOWS\sysdw32.exe Removed! : C:\WINDOWS\sysqs32.exe Removed! : C:\WINDOWS\teduo.dat Removed! : C:\WINDOWS\tiqbr.dll Removed! : C:\WINDOWS\tuyrj.dat Removed! : C:\WINDOWS\twyma.dat Removed! : C:\WINDOWS\tycafw.dat Removed! : C:\WINDOWS\ugwnz.dat Removed! : C:\WINDOWS\ujnosc.dat Removed! : C:\WINDOWS\uvrdv.dat Removed! : C:\WINDOWS\xnabq.dat Removed! : C:\WINDOWS\yjgaa.dll Removed! : C:\WINDOWS\ynnxuq.dat Removed! : C:\WINDOWS\yzfiw.dat Removed! : C:\WINDOWS\zmdal.dat Removed! : C:\WINDOWS\zsbyf.dat Removed! : C:\WINDOWS\System32\addqd.exe Removed! : C:\WINDOWS\System32\apptg.exe Removed! : C:\WINDOWS\System32\appyu.exe Removed! : C:\WINDOWS\System32\atlct.exe Removed! : C:\WINDOWS\System32\bsczt.dat Removed! : C:\WINDOWS\System32\bwwyh.dat Removed! : C:\WINDOWS\System32\ctrlr.dat Removed! : C:\WINDOWS\System32\ecdzg.dll Removed! : C:\WINDOWS\System32\emqzs.dat Removed! : C:\WINDOWS\System32\emxbl.dat Removed! : C:\WINDOWS\System32\evabl.dat Removed! : C:\WINDOWS\System32\fhehc.dat Removed! : C:\WINDOWS\System32\gviox.dat Removed! : C:\WINDOWS\System32\hijxf.dat Removed! : C:\WINDOWS\System32\iphz32.exe Removed! : C:\WINDOWS\System32\ipxd32.exe Removed! : C:\WINDOWS\System32\javack.dll Removed! : C:\WINDOWS\System32\javapg32.exe Removed! : C:\WINDOWS\System32\javapr32.exe Removed! : C:\WINDOWS\System32\jlprk.dat Removed! : C:\WINDOWS\System32\jnvin.dat Removed! : C:\WINDOWS\System32\kbdnb.dat Removed! : C:\WINDOWS\System32\koebr.dat Removed! : C:\WINDOWS\System32\mfcah.exe Removed! : C:\WINDOWS\System32\netzf32.exe Removed! : C:\WINDOWS\System32\ntzy32.exe Removed! : C:\WINDOWS\System32\owqxf.dat Removed! : C:\WINDOWS\System32\pguyz.dat Removed! : C:\WINDOWS\System32\pooja.dat Removed! : C:\WINDOWS\System32\qdrnc.dat Removed! : C:\WINDOWS\System32\rcsne.dat Removed! : C:\WINDOWS\System32\sdkrs.exe Removed! : C:\WINDOWS\System32\tbssl.dat Removed! : C:\WINDOWS\System32\tidnf.dat Removed! : C:\WINDOWS\System32\winzc.exe Removed! : C:\WINDOWS\System32\wyhml.dat Removed! : C:\WINDOWS\System32\xuzyz.dat Removed! : C:\WINDOWS\System32\yawbe.dat Removed! : C:\WINDOWS\System32\yftzp.dat Removed! : C:\WINDOWS\System32\yivus.dat Removed! : C:\WINDOWS\System32\zwhje.dat Removed! : C:\WINDOWS\System32\zztur.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- about:Buster Version 3.0 Reference List : 15 No ADS found on system Removed 4 Random Key Entries Removed! : C:\WINDOWS\n_fkzdwq.dat Removed! : C:\WINDOWS\n_nvqksw.dat Removed! : C:\WINDOWS\n_ygzzbt.dat Attempted Clean Of Temp folder. Pages Reset... Done! Thanks again