DANGER: SPYWARE...Smart Security 59.95$

Mixtli · 03-30-2005, 08:35 PM

Hi Folks,

I got my right mouse button locked, my desktop locked, and my PC is screwy... with this message on my desktop:

DANGER: SPYWARE...Smart Security 59.95$

Every time I start my PC after getting these errors, I get this DOS window with "nmb.exe" running.

Anyways, heres my log. I'd appreciate any help.
TXS guys

Logfile of HijackThis v1.99.1
Scan saved at 00:30:39, on 31/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS2\System32\smss.exe
F:\WINDOWS2\system32\csrss.exe
F:\WINDOWS2\system32\winlogon.exe
F:\WINDOWS2\system32\services.exe
F:\WINDOWS2\system32\lsass.exe
F:\WINDOWS2\system32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS2\system32\spoolsv.exe
F:\WINDOWS2\Explorer.exe
F:\WINDOWS2\AGRSMMSG.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS2\Bvv.exe
F:\WINDOWS2\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\CD\PGP\Dave3@terra\PGPtray.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\WINDOWS2\System32\alg.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\WINDOWS2\System32\PGPserv.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\_Dave\Progs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...2&gwCountry=BR
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS2\System32\kernels32.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {94087010-979B-4559-A796-BA70D89C82E4} - F:\WINDOWS2\System32\nocdhea.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155
O18 - Filter: text/html - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O18 - Filter: text/plain - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

NealM · 03-31-2005, 03:25 AM

Hi Mixtli and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when a reply has been made.

Please be patient with me during this time.

NealM · 03-31-2005, 09:00 AM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

F:\WINDOWS2\Bvv.exe

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...12&gwCountry=BR
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS2\System32\kernels32.exe
O2 - BHO: (no name) - {94087010-979B-4559-A796-BA70D89C82E4} - F:\WINDOWS2\System32\nocdhea.dll
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155
O18 - Filter: text/html - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O18 - Filter: text/plain - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED

F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll
F:\WINDOWS2\System32\kernels32.exe
F:\WINDOWS2\System32\nocdhea.dll
F:\WINDOWS2\System32\Ehr.exe
F:\WINDOWS2\System32\Hoi.exe
F:\WINDOWS2\System32\Loe.exe
F:\WINDOWS2\Ssq.exe
F:\WINDOWS2\Ihi.exe
F:\WINDOWS2\System32\Ibt.exe
F:\WINDOWS2\Dtk.exe
F:\WINDOWS2\Gne.exe
F:\WINDOWS2\System32\Dsf.exe
F:\WINDOWS2\Odv.exe
F:\WINDOWS2\Bvv.exe
F:\WINDOWS2\System32\Fjd.exe
F:\WINDOWS2\Ggq.exe
F:\WINDOWS2\Rrg.exe
F:\WINDOWS2\Hef.exe
F:\WINDOWS2\System32\Oke.exe
F:\WINDOWS2\System32\Ncr.exe
F:\WINDOWS2\System32\Tpk.exe
F:\WINDOWS2\System32\Ehr.exe
F:\WINDOWS2\System32\Hoi.exe
F:\WINDOWS2\System32\Loe.exe
F:\WINDOWS2\Ssq.exe
F:\WINDOWS2\Ihi.exe
F:\WINDOWS2\System32\Ibt.exe
F:\WINDOWS2\Dtk.exe
F:\WINDOWS2\Gne.exe
F:\WINDOWS2\System32\Dsf.exe
F:\WINDOWS2\Odv.exe
F:\WINDOWS2\Bvv.exe
F:\WINDOWS2\System32\Fjd.exe
F:\WINDOWS2\Ggq.exe
F:\WINDOWS2\Rrg.exe
F:\WINDOWS2\Hef.exe
F:\WINDOWS2\System32\Oke.exe
F:\WINDOWS2\System32\Ncr.exe
F:\WINDOWS2\System32\Tpk.exe
F:\WINDOWS2\web\related.htm
F:\WINDOWS2\System32\nocdhea.dll
F:\WINDOWS2\System32\vbsys2.dll

Reboot your System in normal mode.

Download CW-Shredder HERE

Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log and the log that was created by 'SpSeHjfix'. so that we can check if your system is clean.

Mixtli · 03-31-2005, 01:24 PM

Thanks a mil dude,

I followed your instructions, but the infections are all still there... here's my log after doing the cleanup:

Logfile of HijackThis v1.99.1
Scan saved at 17:18:34, on 31/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS2\System32\smss.exe
F:\WINDOWS2\system32\csrss.exe
F:\WINDOWS2\system32\winlogon.exe
F:\WINDOWS2\system32\services.exe
F:\WINDOWS2\system32\lsass.exe
F:\WINDOWS2\system32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS2\Explorer.EXE
F:\WINDOWS2\system32\spoolsv.exe
F:\WINDOWS2\System32\alg.exe
F:\Program Files\Common Files\PFWShared\cfgintpr.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\WINDOWS2\System32\PGPserv.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\TPF4\umxagent.exe
F:\WINDOWS2\AGRSMMSG.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS2\System32\Dbk.exe
F:\Program Files\Motherboard Monitor 5\MBM5.EXE
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\Idt.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\CD\PGP\Dave3@terra\PGPtray.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\_Dave\Progs\HJThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...2&gwCountry=BR
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - F:\Program Files\Common Files\PFWShared\weaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKLM\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKLM\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKLM\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKLM\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKLM\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKLM\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKLM\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [AMonitor] F:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKLM\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKLM\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKLM\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKLM\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKLM\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKLM\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKLM\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKLM\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKLM\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKLM\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKLM\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKCU\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKCU\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKCU\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKCU\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKCU\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKCU\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKCU\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKCU\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKCU\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKCU\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKCU\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKCU\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKCU\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKCU\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKCU\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKCU\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKCU\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKCU\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155
O20 - AppInit_DLLs: umxexw.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSE Config Interpreter (ConfigInterpreter) - Securitae Corp. - F:\Program Files\Common Files\PFWShared\cfgintpr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: DSE Agent (UmxAgent) - Securitae Corp. - F:\Program Files\TPF4\umxagent.exe

And here's the "SpSeHjfix" log:

(3/31/05 16:36:11) SPSeHjFix started v1.1.1
(3/31/05 16:36:11) OS: WinXP Service Pack 1 (5.1.2600)
(3/31/05 16:36:11) Language: português
(3/31/05 16:36:14) Disinfection started
(3/31/05 16:36:14) Bad-Dll(IEP): f:\docume~1\lirio\locals~1\temp\sp.dll
(3/31/05 16:36:14) Searchassistant Uninstaller found: regsvr32 /s /u F:\WINDOWS2\System32\nocdhea.dll
(3/31/05 16:36:14) Searchassistant Uninstaller - Keys Deleted
(3/31/05 16:36:14) FilterKey: HKCR\text/html (deleted)
(3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (deleted)
(3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(3/31/05 16:36:14) FilterKey: HKCR\text/plain (deleted)
(3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (error while deleting)
(3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(3/31/05 16:36:14) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted)
(3/31/05 16:36:14) BHO-Key: HKCR\CLSID\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted)
(3/31/05 16:36:14) UBF: 9
(3/31/05 16:36:14) UBB: 5
(3/31/05 16:36:14) UBR: 80
(3/31/05 16:36:14) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(3/31/05 16:36:14) Stealth-String not found
(3/31/05 16:36:15) Temp-Files delete on Reboot
(3/31/05 16:36:15) File added to delete: f:\windows2\system32\nocdhea.dll
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df7f12.tmp
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df90cb.tmp
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\adobe
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\history
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\msohtml1
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files\content.ie5
(3/31/05 16:36:15) Reboot

(3/31/05 16:37:40) SPSeHjFix started v1.1.1
(3/31/05 16:37:40) OS: WinXP Service Pack 1 (5.1.2600)
(3/31/05 16:37:40) Language: português

1ce again, TX for ur help.

MicroBell · 03-31-2005, 09:37 PM

Hi and Welcome to TSF

You have more then 1 infection taking place. You got one on the first fix and we will attack the others. Understand this will take several steps. Please print these instructions out so you can follow along. Do not MISS or SKIP a step.

Make sure system restore is enabled and make a restore point. This is in case you make a mistake you can restore the OS. Once your fixed..we will address the restore folder.

Download Hoster http://members.aol.com/toadbee/hoster.zip
Download and install CleanUp http://cleanup.stevengould.org/

Download the attachment I posted here called fixsec.txt. Save it to your desktop. Now rename it to fixsec.reg. DO NOT run it yet.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

F:\WINDOWS2\System32\Dbk.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\Idt.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...12&gwCountry=BR
O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKLM\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKLM\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKLM\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKLM\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKLM\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKLM\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKLM\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKLM\..\Run: [AMonitor] F:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKLM\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKLM\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKLM\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKLM\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKLM\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKLM\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKLM\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKLM\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKLM\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKLM\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKLM\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKCU\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKCU\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKCU\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKCU\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKCU\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKCU\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKCU\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKCU\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKCU\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKCU\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKCU\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKCU\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKCU\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKCU\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKCU\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKCU\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKCU\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKCU\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll (file missing)

Delete ALL those 3 letter files above and these files that I listed below..

F:\WINDOWS2\winpos.exe
F:\WINDOWS2\System32\vbsys2.dll
c:\WINDOWS\Aja.html
c:\WINDOWS\Cjr.exe
c:\WINDOWS\desktop.html
c:\WINDOWS\popup.html
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _46.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _48.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _50.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _52.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _54.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _56.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _57.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _58.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _60.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _62.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _64.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _66.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _68.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _70.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _72.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _73.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _74.xml
c:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData _75.xml
c:\WINDOWS\system32\Hcc.exe
c:\WINDOWS\PCHEALT <--folder

FDI.EXE <--locate and delete that one!!

Open the hoster file and run the program to restore your hosts file.

Navigate to the C:\Windows\Prefetch folder and delete all files in that folder

Run the cleanup utility and reboot/logoff when prompted.

Reboot back to normal mode. Now double click that fixsec.reg file we made and merge it into the registry. If it asks you..say YES to merge.

Once thats merged...reboot the PC.

Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default "My Current Homepage". Leave that entry be.

Run the cleanup utility again...reboot. Once back to normal windows post another hijackthis log. If those 04 entrys are back...repeat the process as you missed a file for deletion. You MUST get them all..otherwise this thing reinstalls itself.

MicroBell · 03-31-2005, 11:08 PM

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. <--please disregard that part of my speech up top. I ment to remove it. I want system restore enabled!

Mixtli · 04-01-2005, 03:39 PM

You're the man MicroBell, I think that did it. a big thanks in advance!
Here's my log up 2 date:

Logfile of HijackThis v1.99.1
Scan saved at 19:31:35, on 1/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS2\System32\smss.exe
F:\WINDOWS2\system32\csrss.exe
F:\WINDOWS2\system32\winlogon.exe
F:\WINDOWS2\system32\services.exe
F:\WINDOWS2\system32\lsass.exe
F:\WINDOWS2\system32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS2\system32\spoolsv.exe
F:\WINDOWS2\System32\alg.exe
F:\Program Files\Common Files\PFWShared\cfgintpr.exe
F:\WINDOWS2\System32\PGPserv.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\TPF4\umxagent.exe
F:\WINDOWS2\Explorer.EXE
F:\Program Files\Motherboard Monitor 5\MBM5.EXE
F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS2\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\CD\PGP\Dave3@terra\PGPtray.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\_Dave\Progs\HJThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - F:\Program Files\Common Files\PFWShared\weaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O20 - AppInit_DLLs: umxexw.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: DSE Config Interpreter (ConfigInterpreter) - Securitae Corp. - F:\Program Files\Common Files\PFWShared\cfgintpr.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: DSE Agent (UmxAgent) - Securitae Corp. - F:\Program Files\TPF4\umxagent.exe

I'd be interested 2 know how you made that "fixsys" file, and anything else about it.

MicroBell · 04-02-2005, 01:42 AM

Excellent...Much better. The REG file...is a registry fix for this hijacker. It disables certain registry keys to prevent the user from removing it. That reg file resets the keys.

Your log is clean. Any more issues? If not....disable system restore now...reboot the PC and then go back and re-enable it. Then create a new restore point. This way we clean the infection out of the restore folder and give you a fresh clean restore point to fall back on.

Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

MicroBell · 04-06-2005, 08:56 PM

Mixtli:

As your logs are clean..and you didn't respond back I'm moving this to resolved.

03-30-2005, 08:35 PM	#1 (permalink)
Mixtli Registered User Join Date: Mar 2005 Posts: 4 OS: Win XP Pro	DANGER: SPYWARE...Smart Security 59.95$ Hi Folks, I got my right mouse button locked, my desktop locked, and my PC is screwy... with this message on my desktop: DANGER: SPYWARE...Smart Security 59.95$ Every time I start my PC after getting these errors, I get this DOS window with "nmb.exe" running. Anyways, heres my log. I'd appreciate any help. TXS guys Logfile of HijackThis v1.99.1 Scan saved at 00:30:39, on 31/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS2\System32\smss.exe F:\WINDOWS2\system32\csrss.exe F:\WINDOWS2\system32\winlogon.exe F:\WINDOWS2\system32\services.exe F:\WINDOWS2\system32\lsass.exe F:\WINDOWS2\system32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS2\system32\spoolsv.exe F:\WINDOWS2\Explorer.exe F:\WINDOWS2\AGRSMMSG.exe F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe F:\Program Files\HP\hpcoretech\hpcmpmgr.exe F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\WINDOWS2\Bvv.exe F:\WINDOWS2\System32\ctfmon.exe F:\Program Files\Messenger\msmsgs.exe F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe E:\CD\PGP\Dave3@terra\PGPtray.exe F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe F:\WINDOWS2\System32\alg.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe F:\WINDOWS2\System32\PGPserv.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\_Dave\Progs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...2&gwCountry=BR F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS2\System32\kernels32.exe O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {94087010-979B-4559-A796-BA70D89C82E4} - F:\WINDOWS2\System32\nocdhea.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155 O18 - Filter: text/html - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll O18 - Filter: text/plain - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

03-31-2005, 03:25 AM	#2 (permalink)
NealM Registered User Join Date: Feb 2005 Posts: 91 OS: Win XP Pro	Hi Mixtli and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p You may wish to Subscribe to this thread (Thread Tools) so that you are notified when a reply has been made. Please be patient with me during this time. __________________ _____________________________________________________ Cheers NealM AMD Athlon XP2000 - Processor 512 RAM - Memory HD1 - 15G HD2 - 80G NVIDIA GeForce FX 5200 - Graphics Card

03-31-2005, 09:00 AM	#3 (permalink)
NealM Registered User Join Date: Feb 2005 Posts: 91 OS: Win XP Pro	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). F:\WINDOWS2\Bvv.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...12&gwCountry=BR F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS2\System32\kernels32.exe O2 - BHO: (no name) - {94087010-979B-4559-A796-BA70D89C82E4} - F:\WINDOWS2\System32\nocdhea.dll O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS2\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155 O18 - Filter: text/html - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll O18 - Filter: text/plain - {68D65528-80BE-4350-8711-6C026BCAF7A6} - F:\WINDOWS2\System32\nocdhea.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED F:\DOCUME~1\Lirio\LOCALS~1\Temp\sp.dll F:\WINDOWS2\System32\kernels32.exe F:\WINDOWS2\System32\nocdhea.dll F:\WINDOWS2\System32\Ehr.exe F:\WINDOWS2\System32\Hoi.exe F:\WINDOWS2\System32\Loe.exe F:\WINDOWS2\Ssq.exe F:\WINDOWS2\Ihi.exe F:\WINDOWS2\System32\Ibt.exe F:\WINDOWS2\Dtk.exe F:\WINDOWS2\Gne.exe F:\WINDOWS2\System32\Dsf.exe F:\WINDOWS2\Odv.exe F:\WINDOWS2\Bvv.exe F:\WINDOWS2\System32\Fjd.exe F:\WINDOWS2\Ggq.exe F:\WINDOWS2\Rrg.exe F:\WINDOWS2\Hef.exe F:\WINDOWS2\System32\Oke.exe F:\WINDOWS2\System32\Ncr.exe F:\WINDOWS2\System32\Tpk.exe F:\WINDOWS2\System32\Ehr.exe F:\WINDOWS2\System32\Hoi.exe F:\WINDOWS2\System32\Loe.exe F:\WINDOWS2\Ssq.exe F:\WINDOWS2\Ihi.exe F:\WINDOWS2\System32\Ibt.exe F:\WINDOWS2\Dtk.exe F:\WINDOWS2\Gne.exe F:\WINDOWS2\System32\Dsf.exe F:\WINDOWS2\Odv.exe F:\WINDOWS2\Bvv.exe F:\WINDOWS2\System32\Fjd.exe F:\WINDOWS2\Ggq.exe F:\WINDOWS2\Rrg.exe F:\WINDOWS2\Hef.exe F:\WINDOWS2\System32\Oke.exe F:\WINDOWS2\System32\Ncr.exe F:\WINDOWS2\System32\Tpk.exe F:\WINDOWS2\web\related.htm F:\WINDOWS2\System32\nocdhea.dll F:\WINDOWS2\System32\vbsys2.dll Reboot your System in normal mode. Download CW-Shredder HERE Download 'SpSeHjfix'. to the desktop and then right click a blank part of desktop & select new folder, call it spfix unzip the file into that folder Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix'. and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage Now run the Shredder - Hit The FIX button! If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Please post a fresh Hijack This log and the log that was created by 'SpSeHjfix'. so that we can check if your system is clean. __________________ _____________________________________________________ Cheers NealM AMD Athlon XP2000 - Processor 512 RAM - Memory HD1 - 15G HD2 - 80G NVIDIA GeForce FX 5200 - Graphics Card

03-31-2005, 11:08 PM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. <--please disregard that part of my speech up top. I ment to remove it. I want system restore enabled! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

04-02-2005, 01:42 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Excellent...Much better. The REG file...is a registry fix for this hijacker. It disables certain registry keys to prevent the user from removing it. That reg file resets the keys. Your log is clean. Any more issues? If not....disable system restore now...reboot the PC and then go back and re-enable it. Then create a new restore point. This way we clean the infection out of the restore folder and give you a fresh clean restore point to fall back on. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

03-31-2005, 01:24 PM	#4 (permalink)
Mixtli Registered User Join Date: Mar 2005 Posts: 4 OS: Win XP Pro	Thanks a mil dude, I followed your instructions, but the infections are all still there... here's my log after doing the cleanup: Logfile of HijackThis v1.99.1 Scan saved at 17:18:34, on 31/3/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS2\System32\smss.exe F:\WINDOWS2\system32\csrss.exe F:\WINDOWS2\system32\winlogon.exe F:\WINDOWS2\system32\services.exe F:\WINDOWS2\system32\lsass.exe F:\WINDOWS2\system32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS2\Explorer.EXE F:\WINDOWS2\system32\spoolsv.exe F:\WINDOWS2\System32\alg.exe F:\Program Files\Common Files\PFWShared\cfgintpr.exe F:\Program Files\Norton AntiVirus\navapsvc.exe F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe F:\WINDOWS2\System32\PGPserv.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe F:\Program Files\TPF4\umxagent.exe F:\WINDOWS2\AGRSMMSG.exe F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe F:\Program Files\HP\hpcoretech\hpcmpmgr.exe F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe F:\Program Files\Common Files\Symantec Shared\ccApp.exe F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe F:\WINDOWS2\System32\Dbk.exe F:\Program Files\Motherboard Monitor 5\MBM5.EXE F:\WINDOWS2\System32\Jun.exe F:\WINDOWS2\System32\Pic.exe F:\WINDOWS2\System32\Klg.exe F:\WINDOWS2\System32\Cre.exe F:\WINDOWS2\System32\Jvh.exe F:\WINDOWS2\System32\Uoq.exe F:\WINDOWS2\System32\Lvv.exe F:\WINDOWS2\Dhf.exe F:\WINDOWS2\Lts.exe F:\WINDOWS2\System32\ctfmon.exe F:\Program Files\Messenger\msmsgs.exe F:\WINDOWS2\System32\Jun.exe F:\WINDOWS2\System32\Pic.exe F:\WINDOWS2\System32\Klg.exe F:\WINDOWS2\System32\Cre.exe F:\WINDOWS2\System32\Jvh.exe F:\WINDOWS2\System32\Uoq.exe F:\WINDOWS2\System32\Lvv.exe F:\WINDOWS2\Dhf.exe F:\WINDOWS2\Lts.exe F:\WINDOWS2\Idt.exe F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe E:\CD\PGP\Dave3@terra\PGPtray.exe F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe F:\Program Files\Internet Explorer\iexplore.exe C:\_Dave\Progs\HJThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...2&gwCountry=BR O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - F:\Program Files\Common Files\PFWShared\weaddon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O4 - HKLM\..\Run: [Pjm] F:\WINDOWS2\Blv.exe O4 - HKLM\..\Run: [Ern] F:\WINDOWS2\Ftl.exe O4 - HKLM\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe O4 - HKLM\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe O4 - HKLM\..\Run: [Llm] F:\WINDOWS2\Asf.exe O4 - HKLM\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe O4 - HKLM\..\Run: [Mcp] F:\WINDOWS2\Ros.exe O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [AMonitor] F:\Program Files\TPF4\amon.exe O4 - HKLM\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe O4 - HKLM\..\Run: [Oao] F:\WINDOWS2\Feq.exe O4 - HKLM\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe O4 - HKLM\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe O4 - HKLM\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe O4 - HKLM\..\Run: [Tbj] F:\WINDOWS2\Duo.exe O4 - HKLM\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe O4 - HKLM\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe O4 - HKLM\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe O4 - HKLM\..\Run: [Hml] F:\WINDOWS2\Dhf.exe O4 - HKLM\..\Run: [Egh] F:\WINDOWS2\Lts.exe O4 - HKLM\..\Run: [Hve] F:\WINDOWS2\Idt.exe O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe O4 - HKCU\..\Run: [Pjm] F:\WINDOWS2\Blv.exe O4 - HKCU\..\Run: [Ern] F:\WINDOWS2\Ftl.exe O4 - HKCU\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe O4 - HKCU\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe O4 - HKCU\..\Run: [Llm] F:\WINDOWS2\Asf.exe O4 - HKCU\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe O4 - HKCU\..\Run: [Mcp] F:\WINDOWS2\Ros.exe O4 - HKCU\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe O4 - HKCU\..\Run: [Oao] F:\WINDOWS2\Feq.exe O4 - HKCU\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe O4 - HKCU\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe O4 - HKCU\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe O4 - HKCU\..\Run: [Tbj] F:\WINDOWS2\Duo.exe O4 - HKCU\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe O4 - HKCU\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe O4 - HKCU\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe O4 - HKCU\..\Run: [Hml] F:\WINDOWS2\Dhf.exe O4 - HKCU\..\Run: [Egh] F:\WINDOWS2\Lts.exe O4 - HKCU\..\Run: [Hve] F:\WINDOWS2\Idt.exe O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155 O20 - AppInit_DLLs: umxexw.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll (file missing) O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DSE Config Interpreter (ConfigInterpreter) - Securitae Corp. - F:\Program Files\Common Files\PFWShared\cfgintpr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: DSE Agent (UmxAgent) - Securitae Corp. - F:\Program Files\TPF4\umxagent.exe And here's the "SpSeHjfix" log: (3/31/05 16:36:11) SPSeHjFix started v1.1.1 (3/31/05 16:36:11) OS: WinXP Service Pack 1 (5.1.2600) (3/31/05 16:36:11) Language: português (3/31/05 16:36:14) Disinfection started (3/31/05 16:36:14) Bad-Dll(IEP): f:\docume~1\lirio\locals~1\temp\sp.dll (3/31/05 16:36:14) Searchassistant Uninstaller found: regsvr32 /s /u F:\WINDOWS2\System32\nocdhea.dll (3/31/05 16:36:14) Searchassistant Uninstaller - Keys Deleted (3/31/05 16:36:14) FilterKey: HKCR\text/html (deleted) (3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (deleted) (3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting) (3/31/05 16:36:14) FilterKey: HKCR\text/plain (deleted) (3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (error while deleting) (3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting) (3/31/05 16:36:14) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted) (3/31/05 16:36:14) BHO-Key: HKCR\CLSID\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted) (3/31/05 16:36:14) UBF: 9 (3/31/05 16:36:14) UBB: 5 (3/31/05 16:36:14) UBR: 80 (3/31/05 16:36:14) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank (3/31/05 16:36:14) Stealth-String not found (3/31/05 16:36:15) Temp-Files delete on Reboot (3/31/05 16:36:15) File added to delete: f:\windows2\system32\nocdhea.dll (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df7f12.tmp (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df90cb.tmp (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\adobe (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\history (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\msohtml1 (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files (3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files\content.ie5 (3/31/05 16:36:15) Reboot (3/31/05 16:37:40) SPSeHjFix started v1.1.1 (3/31/05 16:37:40) OS: WinXP Service Pack 1 (5.1.2600) (3/31/05 16:37:40) Language: português 1ce again, TX for ur help.

04-01-2005, 03:39 PM	#7 (permalink)
Mixtli Registered User Join Date: Mar 2005 Posts: 4 OS: Win XP Pro	You're the man MicroBell, I think that did it. a big thanks in advance! Here's my log up 2 date: Logfile of HijackThis v1.99.1 Scan saved at 19:31:35, on 1/4/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: F:\WINDOWS2\System32\smss.exe F:\WINDOWS2\system32\csrss.exe F:\WINDOWS2\system32\winlogon.exe F:\WINDOWS2\system32\services.exe F:\WINDOWS2\system32\lsass.exe F:\WINDOWS2\system32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe F:\WINDOWS2\system32\spoolsv.exe F:\WINDOWS2\System32\alg.exe F:\Program Files\Common Files\PFWShared\cfgintpr.exe F:\WINDOWS2\System32\PGPserv.exe F:\WINDOWS2\System32\svchost.exe F:\Program Files\TPF4\umxagent.exe F:\WINDOWS2\Explorer.EXE F:\Program Files\Motherboard Monitor 5\MBM5.EXE F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe F:\Program Files\HP\hpcoretech\hpcmpmgr.exe F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe F:\Program Files\Messenger\msmsgs.exe F:\WINDOWS2\System32\ctfmon.exe F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe E:\CD\PGP\Dave3@terra\PGPtray.exe F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\_Dave\Progs\HJThis\HijackThis.exe O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - F:\Program Files\Common Files\PFWShared\weaddon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O20 - AppInit_DLLs: umxexw.dll O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: DSE Config Interpreter (ConfigInterpreter) - Securitae Corp. - F:\Program Files\Common Files\PFWShared\cfgintpr.exe O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: DSE Agent (UmxAgent) - Securitae Corp. - F:\Program Files\TPF4\umxagent.exe I'd be interested 2 know how you made that "fixsys" file, and anything else about it.

04-06-2005, 08:56 PM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Mixtli: As your logs are clean..and you didn't respond back I'm moving this to resolved. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder