Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Help with Browser Hijacker
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-13-2005, 02:49 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


Help with Browser Hijacker
I have used Spyware Nuker, Ad-Aware SE and norton antivirus and the Hijacker keeps coming back. Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:48:25 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\atljl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Spyware Nuker 2004\SWN2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FE3D33D0-958B-2C94-A4A8-DB4A4566ED06} - C:\WINDOWS\system32\ieto32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x63b8e1\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netsw32.exe] C:\WINDOWS\netsw32.exe
O4 - HKLM\..\Run: [atljl.exe] C:\WINDOWS\atljl.exe
O4 - HKLM\..\RunOnce: [d3rx32.exe] C:\WINDOWS\system32\d3rx32.exe
O4 - HKLM\..\RunOnce: [sysny.exe] C:\WINDOWS\sysny.exe
O4 - HKLM\..\RunOnce: [systp.exe] C:\WINDOWS\systp.exe
O4 - HKLM\..\RunOnce: [netqn32.exe] C:\WINDOWS\netqn32.exe
O4 - HKLM\..\RunOnce: [apiwk32.exe] C:\WINDOWS\system32\apiwk32.exe
O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\system32\apiwm.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\system32\crfy.exe
O4 - HKLM\..\RunOnce: [ntuu.exe] C:\WINDOWS\ntuu.exe
O4 - HKLM\..\RunOnce: [d3dc32.exe] C:\WINDOWS\system32\d3dc32.exe
O4 - HKLM\..\RunOnce: [appvl32.exe] C:\WINDOWS\system32\appvl32.exe
O4 - HKLM\..\RunOnce: [ntnt.exe] C:\WINDOWS\system32\ntnt.exe
O4 - HKLM\..\RunOnce: [cruq.exe] C:\WINDOWS\system32\cruq.exe
O4 - HKLM\..\RunOnce: [mssa32.exe] C:\WINDOWS\mssa32.exe
O4 - HKLM\..\RunOnce: [atlmf32.exe] C:\WINDOWS\system32\atlmf32.exe
O4 - HKLM\..\RunOnce: [msge.exe] C:\WINDOWS\system32\msge.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\system32\ieur32.exe
O4 - HKLM\..\RunOnce: [crbc.exe] C:\WINDOWS\system32\crbc.exe
O4 - HKLM\..\RunOnce: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\RunOnce: [msri32.exe] C:\WINDOWS\msri32.exe
O4 - HKLM\..\RunOnce: [apilu32.exe] C:\WINDOWS\system32\apilu32.exe
O4 - HKLM\..\RunOnce: [javajx.exe] C:\WINDOWS\javajx.exe
O4 - HKLM\..\RunOnce: [crya32.exe] C:\WINDOWS\system32\crya32.exe
O4 - HKLM\..\RunOnce: [ieip.exe] C:\WINDOWS\system32\ieip.exe
O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
O4 - HKLM\..\RunOnce: [javahz32.exe] C:\WINDOWS\javahz32.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\system32\mfcoz32.exe
O4 - HKLM\..\RunOnce: [crww32.exe] C:\WINDOWS\system32\crww32.exe
O4 - HKLM\..\RunOnce: [wingw32.exe] C:\WINDOWS\system32\wingw32.exe
O4 - HKLM\..\RunOnce: [crhl32.exe] C:\WINDOWS\crhl32.exe
O4 - HKLM\..\RunOnce: [atlok32.exe] C:\WINDOWS\atlok32.exe
O4 - HKLM\..\RunOnce: [atlbf32.exe] C:\WINDOWS\system32\atlbf32.exe
O4 - HKLM\..\RunOnce: [ielk.exe] C:\WINDOWS\ielk.exe
O4 - HKLM\..\RunOnce: [ieez32.exe] C:\WINDOWS\system32\ieez32.exe
O4 - HKLM\..\RunOnce: [addun32.exe] C:\WINDOWS\addun32.exe
O4 - HKLM\..\RunOnce: [sysde.exe] C:\WINDOWS\system32\sysde.exe
O4 - HKLM\..\RunOnce: [d3qw.exe] C:\WINDOWS\system32\d3qw.exe
O4 - HKLM\..\RunOnce: [mssx.exe] C:\WINDOWS\system32\mssx.exe
O4 - HKLM\..\RunOnce: [addtd32.exe] C:\WINDOWS\system32\addtd32.exe
O4 - HKLM\..\RunOnce: [javaeu.exe] C:\WINDOWS\system32\javaeu.exe
O4 - HKLM\..\RunOnce: [mshq32.exe] C:\WINDOWS\mshq32.exe
O4 - HKLM\..\RunOnce: [netxw.exe] C:\WINDOWS\system32\netxw.exe
O4 - HKLM\..\RunOnce: [appms.exe] C:\WINDOWS\appms.exe
O4 - HKLM\..\RunOnce: [javapa32.exe] C:\WINDOWS\system32\javapa32.exe
O4 - HKLM\..\RunOnce: [addpo32.exe] C:\WINDOWS\system32\addpo32.exe
O4 - HKLM\..\RunOnce: [ipqt32.exe] C:\WINDOWS\ipqt32.exe
O4 - HKLM\..\RunOnce: [sysbl32.exe] C:\WINDOWS\sysbl32.exe
O4 - HKLM\..\RunOnce: [mshh32.exe] C:\WINDOWS\mshh32.exe
O4 - HKLM\..\RunOnce: [winub32.exe] C:\WINDOWS\winub32.exe
O4 - HKLM\..\RunOnce: [apptw32.exe] C:\WINDOWS\apptw32.exe
O4 - HKLM\..\RunOnce: [crvw32.exe] C:\WINDOWS\crvw32.exe
O4 - HKLM\..\RunOnce: [ntsw.exe] C:\WINDOWS\system32\ntsw.exe
O4 - HKLM\..\RunOnce: [javaix32.exe] C:\WINDOWS\javaix32.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\ipgc.exe
O4 - HKLM\..\RunOnce: [mfcpa32.exe] C:\WINDOWS\mfcpa32.exe
O4 - HKLM\..\RunOnce: [ntdi32.exe] C:\WINDOWS\ntdi32.exe
O4 - HKLM\..\RunOnce: [ntqg32.exe] C:\WINDOWS\ntqg32.exe
O4 - HKLM\..\RunOnce: [syszt.exe] C:\WINDOWS\system32\syszt.exe
O4 - HKLM\..\RunOnce: [atlqo.exe] C:\WINDOWS\system32\atlqo.exe
O4 - HKLM\..\RunOnce: [ipjs32.exe] C:\WINDOWS\ipjs32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\system32\crdo32.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ntdc32.exe] C:\WINDOWS\system32\ntdc32.exe
O4 - HKLM\..\RunOnce: [d3vk.exe] C:\WINDOWS\system32\d3vk.exe
O4 - HKLM\..\RunOnce: [appbj32.exe] C:\WINDOWS\appbj32.exe
O4 - HKLM\..\RunOnce: [addhe.exe] C:\WINDOWS\addhe.exe
O4 - HKLM\..\RunOnce: [netxu32.exe] C:\WINDOWS\netxu32.exe
O4 - HKLM\..\RunOnce: [appko.exe] C:\WINDOWS\appko.exe
O4 - HKLM\..\RunOnce: [iewi32.exe] C:\WINDOWS\system32\iewi32.exe
O4 - HKLM\..\RunOnce: [javasr.exe] C:\WINDOWS\javasr.exe
O4 - HKLM\..\RunOnce: [appgo32.exe] C:\WINDOWS\appgo32.exe
O4 - HKLM\..\RunOnce: [crxk.exe] C:\WINDOWS\system32\crxk.exe
O4 - HKLM\..\RunOnce: [ntod32.exe] C:\WINDOWS\ntod32.exe
O4 - HKLM\..\RunOnce: [apppu.exe] C:\WINDOWS\apppu.exe
O4 - HKLM\..\RunOnce: [sdkeb.exe] C:\WINDOWS\sdkeb.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [mszm32.exe] C:\WINDOWS\mszm32.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\ntpy.exe
O4 - HKLM\..\RunOnce: [winbo.exe] C:\WINDOWS\winbo.exe
O4 - HKLM\..\RunOnce: [ipyb.exe] C:\WINDOWS\system32\ipyb.exe
O4 - HKLM\..\RunOnce: [ntad32.exe] C:\WINDOWS\ntad32.exe
O4 - HKLM\..\RunOnce: [apihw32.exe] C:\WINDOWS\apihw32.exe
O4 - HKLM\..\RunOnce: [appns32.exe] C:\WINDOWS\appns32.exe
O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\system32\mfcvu32.exe
O4 - HKLM\..\RunOnce: [netca.exe] C:\WINDOWS\netca.exe
O4 - HKLM\..\RunOnce: [apppl32.exe] C:\WINDOWS\system32\apppl32.exe
O4 - HKLM\..\RunOnce: [javapq.exe] C:\WINDOWS\system32\javapq.exe
O4 - HKLM\..\RunOnce: [crls32.exe] C:\WINDOWS\system32\crls32.exe
O4 - HKLM\..\RunOnce: [crxg.exe] C:\WINDOWS\system32\crxg.exe
O4 - HKLM\..\RunOnce: [netee.exe] C:\WINDOWS\system32\netee.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\system32\javazp32.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\system32\atlwp.exe
O4 - HKLM\..\RunOnce: [mfcsc32.exe] C:\WINDOWS\system32\mfcsc32.exe
O4 - HKLM\..\RunOnce: [d3bb32.exe] C:\WINDOWS\system32\d3bb32.exe
O4 - HKLM\..\RunOnce: [ipxb.exe] C:\WINDOWS\system32\ipxb.exe
O4 - HKLM\..\RunOnce: [iell32.exe] C:\WINDOWS\system32\iell32.exe
O4 - HKLM\..\RunOnce: [netou.exe] C:\WINDOWS\netou.exe
O4 - HKLM\..\RunOnce: [sdkvb32.exe] C:\WINDOWS\sdkvb32.exe
O4 - HKLM\..\RunOnce: [winha32.exe] C:\WINDOWS\system32\winha32.exe
O4 - HKLM\..\RunOnce: [apifg32.exe] C:\WINDOWS\system32\apifg32.exe
O4 - HKLM\..\RunOnce: [appmj.exe] C:\WINDOWS\appmj.exe
O4 - HKLM\..\RunOnce: [atlae32.exe] C:\WINDOWS\system32\atlae32.exe
O4 - HKLM\..\RunOnce: [sdkdl32.exe] C:\WINDOWS\sdkdl32.exe
O4 - HKLM\..\RunOnce: [appoa.exe] C:\WINDOWS\system32\appoa.exe
O4 - HKLM\..\RunOnce: [ntpi.exe] C:\WINDOWS\ntpi.exe
O4 - HKLM\..\RunOnce: [msjt32.exe] C:\WINDOWS\msjt32.exe
O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe
O4 - HKLM\..\RunOnce: [mfcyo32.exe] C:\WINDOWS\system32\mfcyo32.exe
O4 - HKLM\..\RunOnce: [sdkhg32.exe] C:\WINDOWS\sdkhg32.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61ECA-6052-4A3F-88F9-D39ADAA280EE}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-13-2005, 06:59 AM   #2 (permalink)
Manager, The Conversation Pit/Analyst, Security Team
 
bry623's Avatar
 
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,586
OS: winxp pro sp2


Send a message via MSN to bry623
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\atljl.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hripo.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FE3D33D0-958B-2C94-A4A8-DB4A4566ED06} - C:\WINDOWS\system32\ieto32.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [netsw32.exe] C:\WINDOWS\netsw32.exe
O4 - HKLM\..\Run: [atljl.exe] C:\WINDOWS\atljl.exe
O4 - HKLM\..\RunOnce: [d3rx32.exe] C:\WINDOWS\system32\d3rx32.exe
O4 - HKLM\..\RunOnce: [sysny.exe] C:\WINDOWS\sysny.exe
O4 - HKLM\..\RunOnce: [systp.exe] C:\WINDOWS\systp.exe
O4 - HKLM\..\RunOnce: [netqn32.exe] C:\WINDOWS\netqn32.exe
O4 - HKLM\..\RunOnce: [apiwk32.exe] C:\WINDOWS\system32\apiwk32.exe
O4 - HKLM\..\RunOnce: [apiwm.exe] C:\WINDOWS\system32\apiwm.exe
O4 - HKLM\..\RunOnce: [crfy.exe] C:\WINDOWS\system32\crfy.exe
O4 - HKLM\..\RunOnce: [ntuu.exe] C:\WINDOWS\ntuu.exe
O4 - HKLM\..\RunOnce: [d3dc32.exe] C:\WINDOWS\system32\d3dc32.exe
O4 - HKLM\..\RunOnce: [appvl32.exe] C:\WINDOWS\system32\appvl32.exe
O4 - HKLM\..\RunOnce: [ntnt.exe] C:\WINDOWS\system32\ntnt.exe
O4 - HKLM\..\RunOnce: [cruq.exe] C:\WINDOWS\system32\cruq.exe
O4 - HKLM\..\RunOnce: [mssa32.exe] C:\WINDOWS\mssa32.exe
O4 - HKLM\..\RunOnce: [atlmf32.exe] C:\WINDOWS\system32\atlmf32.exe
O4 - HKLM\..\RunOnce: [msge.exe] C:\WINDOWS\system32\msge.exe
O4 - HKLM\..\RunOnce: [ieur32.exe] C:\WINDOWS\system32\ieur32.exe
O4 - HKLM\..\RunOnce: [crbc.exe] C:\WINDOWS\system32\crbc.exe
O4 - HKLM\..\RunOnce: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\RunOnce: [msri32.exe] C:\WINDOWS\msri32.exe
O4 - HKLM\..\RunOnce: [apilu32.exe] C:\WINDOWS\system32\apilu32.exe
O4 - HKLM\..\RunOnce: [javajx.exe] C:\WINDOWS\javajx.exe
O4 - HKLM\..\RunOnce: [crya32.exe] C:\WINDOWS\system32\crya32.exe
O4 - HKLM\..\RunOnce: [ieip.exe] C:\WINDOWS\system32\ieip.exe
O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
O4 - HKLM\..\RunOnce: [javahz32.exe] C:\WINDOWS\javahz32.exe
O4 - HKLM\..\RunOnce: [mfcoz32.exe] C:\WINDOWS\system32\mfcoz32.exe
O4 - HKLM\..\RunOnce: [crww32.exe] C:\WINDOWS\system32\crww32.exe
O4 - HKLM\..\RunOnce: [wingw32.exe] C:\WINDOWS\system32\wingw32.exe
O4 - HKLM\..\RunOnce: [crhl32.exe] C:\WINDOWS\crhl32.exe
O4 - HKLM\..\RunOnce: [atlok32.exe] C:\WINDOWS\atlok32.exe
O4 - HKLM\..\RunOnce: [atlbf32.exe] C:\WINDOWS\system32\atlbf32.exe
O4 - HKLM\..\RunOnce: [ielk.exe] C:\WINDOWS\ielk.exe
O4 - HKLM\..\RunOnce: [ieez32.exe] C:\WINDOWS\system32\ieez32.exe
O4 - HKLM\..\RunOnce: [addun32.exe] C:\WINDOWS\addun32.exe
O4 - HKLM\..\RunOnce: [sysde.exe] C:\WINDOWS\system32\sysde.exe
O4 - HKLM\..\RunOnce: [d3qw.exe] C:\WINDOWS\system32\d3qw.exe
O4 - HKLM\..\RunOnce: [mssx.exe] C:\WINDOWS\system32\mssx.exe
O4 - HKLM\..\RunOnce: [addtd32.exe] C:\WINDOWS\system32\addtd32.exe
O4 - HKLM\..\RunOnce: [javaeu.exe] C:\WINDOWS\system32\javaeu.exe
O4 - HKLM\..\RunOnce: [mshq32.exe] C:\WINDOWS\mshq32.exe
O4 - HKLM\..\RunOnce: [netxw.exe] C:\WINDOWS\system32\netxw.exe
O4 - HKLM\..\RunOnce: [appms.exe] C:\WINDOWS\appms.exe
O4 - HKLM\..\RunOnce: [javapa32.exe] C:\WINDOWS\system32\javapa32.exe
O4 - HKLM\..\RunOnce: [addpo32.exe] C:\WINDOWS\system32\addpo32.exe
O4 - HKLM\..\RunOnce: [ipqt32.exe] C:\WINDOWS\ipqt32.exe
O4 - HKLM\..\RunOnce: [sysbl32.exe] C:\WINDOWS\sysbl32.exe
O4 - HKLM\..\RunOnce: [mshh32.exe] C:\WINDOWS\mshh32.exe
O4 - HKLM\..\RunOnce: [winub32.exe] C:\WINDOWS\winub32.exe
O4 - HKLM\..\RunOnce: [apptw32.exe] C:\WINDOWS\apptw32.exe
O4 - HKLM\..\RunOnce: [crvw32.exe] C:\WINDOWS\crvw32.exe
O4 - HKLM\..\RunOnce: [ntsw.exe] C:\WINDOWS\system32\ntsw.exe
O4 - HKLM\..\RunOnce: [javaix32.exe] C:\WINDOWS\javaix32.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\ipgc.exe
O4 - HKLM\..\RunOnce: [mfcpa32.exe] C:\WINDOWS\mfcpa32.exe
O4 - HKLM\..\RunOnce: [ntdi32.exe] C:\WINDOWS\ntdi32.exe
O4 - HKLM\..\RunOnce: [ntqg32.exe] C:\WINDOWS\ntqg32.exe
O4 - HKLM\..\RunOnce: [syszt.exe] C:\WINDOWS\system32\syszt.exe
O4 - HKLM\..\RunOnce: [atlqo.exe] C:\WINDOWS\system32\atlqo.exe
O4 - HKLM\..\RunOnce: [ipjs32.exe] C:\WINDOWS\ipjs32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\system32\crdo32.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ntdc32.exe] C:\WINDOWS\system32\ntdc32.exe
O4 - HKLM\..\RunOnce: [d3vk.exe] C:\WINDOWS\system32\d3vk.exe
O4 - HKLM\..\RunOnce: [appbj32.exe] C:\WINDOWS\appbj32.exe
O4 - HKLM\..\RunOnce: [addhe.exe] C:\WINDOWS\addhe.exe
O4 - HKLM\..\RunOnce: [netxu32.exe] C:\WINDOWS\netxu32.exe
O4 - HKLM\..\RunOnce: [appko.exe] C:\WINDOWS\appko.exe
O4 - HKLM\..\RunOnce: [iewi32.exe] C:\WINDOWS\system32\iewi32.exe
O4 - HKLM\..\RunOnce: [javasr.exe] C:\WINDOWS\javasr.exe
O4 - HKLM\..\RunOnce: [appgo32.exe] C:\WINDOWS\appgo32.exe
O4 - HKLM\..\RunOnce: [crxk.exe] C:\WINDOWS\system32\crxk.exe
O4 - HKLM\..\RunOnce: [ntod32.exe] C:\WINDOWS\ntod32.exe
O4 - HKLM\..\RunOnce: [apppu.exe] C:\WINDOWS\apppu.exe
O4 - HKLM\..\RunOnce: [sdkeb.exe] C:\WINDOWS\sdkeb.exe
O4 - HKLM\..\RunOnce: [apirw32.exe] C:\WINDOWS\apirw32.exe
O4 - HKLM\..\RunOnce: [mszm32.exe] C:\WINDOWS\mszm32.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\ntpy.exe
O4 - HKLM\..\RunOnce: [winbo.exe] C:\WINDOWS\winbo.exe
O4 - HKLM\..\RunOnce: [ipyb.exe] C:\WINDOWS\system32\ipyb.exe
O4 - HKLM\..\RunOnce: [ntad32.exe] C:\WINDOWS\ntad32.exe
O4 - HKLM\..\RunOnce: [apihw32.exe] C:\WINDOWS\apihw32.exe
O4 - HKLM\..\RunOnce: [appns32.exe] C:\WINDOWS\appns32.exe
O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\system32\mfcvu32.exe
O4 - HKLM\..\RunOnce: [netca.exe] C:\WINDOWS\netca.exe
O4 - HKLM\..\RunOnce: [apppl32.exe] C:\WINDOWS\system32\apppl32.exe
O4 - HKLM\..\RunOnce: [javapq.exe] C:\WINDOWS\system32\javapq.exe
O4 - HKLM\..\RunOnce: [crls32.exe] C:\WINDOWS\system32\crls32.exe
O4 - HKLM\..\RunOnce: [crxg.exe] C:\WINDOWS\system32\crxg.exe
O4 - HKLM\..\RunOnce: [netee.exe] C:\WINDOWS\system32\netee.exe
O4 - HKLM\..\RunOnce: [javazp32.exe] C:\WINDOWS\system32\javazp32.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\system32\atlwp.exe
O4 - HKLM\..\RunOnce: [mfcsc32.exe] C:\WINDOWS\system32\mfcsc32.exe
O4 - HKLM\..\RunOnce: [d3bb32.exe] C:\WINDOWS\system32\d3bb32.exe
O4 - HKLM\..\RunOnce: [ipxb.exe] C:\WINDOWS\system32\ipxb.exe
O4 - HKLM\..\RunOnce: [iell32.exe] C:\WINDOWS\system32\iell32.exe
O4 - HKLM\..\RunOnce: [netou.exe] C:\WINDOWS\netou.exe
O4 - HKLM\..\RunOnce: [sdkvb32.exe] C:\WINDOWS\sdkvb32.exe
O4 - HKLM\..\RunOnce: [winha32.exe] C:\WINDOWS\system32\winha32.exe
O4 - HKLM\..\RunOnce: [apifg32.exe] C:\WINDOWS\system32\apifg32.exe
O4 - HKLM\..\RunOnce: [appmj.exe] C:\WINDOWS\appmj.exe
O4 - HKLM\..\RunOnce: [atlae32.exe] C:\WINDOWS\system32\atlae32.exe
O4 - HKLM\..\RunOnce: [sdkdl32.exe] C:\WINDOWS\sdkdl32.exe
O4 - HKLM\..\RunOnce: [appoa.exe] C:\WINDOWS\system32\appoa.exe
O4 - HKLM\..\RunOnce: [ntpi.exe] C:\WINDOWS\ntpi.exe
O4 - HKLM\..\RunOnce: [msjt32.exe] C:\WINDOWS\msjt32.exe
O4 - HKLM\..\RunOnce: [appmf.exe] C:\WINDOWS\appmf.exe
O4 - HKLM\..\RunOnce: [mfcyo32.exe] C:\WINDOWS\system32\mfcyo32.exe
O4 - HKLM\..\RunOnce: [sdkhg32.exe] C:\WINDOWS\sdkhg32.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\AWS
C:\WINDOWS\system32\hripo.dll
C:\WINDOWS\system32\ieto32.dll
C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\netsw32.exe
C:\WINDOWS\atljl.exe
C:\WINDOWS\system32\d3rx32.exe
C:\WINDOWS\sysny.exe
C:\WINDOWS\systp.exe
C:\WINDOWS\netqn32.exe
C:\WINDOWS\system32\apiwk32.exe
C:\WINDOWS\system32\apiwm.exe
C:\WINDOWS\system32\crfy.exe
C:\WINDOWS\ntuu.exe
C:\WINDOWS\system32\d3dc32.exe
C:\WINDOWS\system32\appvl32.exe
C:\WINDOWS\system32\ntnt.exe
C:\WINDOWS\system32\cruq.exe
C:\WINDOWS\mssa32.exe
C:\WINDOWS\system32\atlmf32.exe
C:\WINDOWS\system32\msge.exe
C:\WINDOWS\system32\ieur32.exe
C:\WINDOWS\system32\crbc.exe
C:\WINDOWS\system32\mfcjs32.exe
C:\WINDOWS\msri32.exe
C:\WINDOWS\system32\apilu32.exe
C:\WINDOWS\javajx.exe
C:\WINDOWS\system32\crya32.exe
C:\WINDOWS\system32\ieip.exe
C:\WINDOWS\system32\addqq.exe
C:\WINDOWS\javahz32.exe
C:\WINDOWS\system32\mfcoz32.exe
C:\WINDOWS\system32\crww32.exe
C:\WINDOWS\system32\wingw32.exe
C:\WINDOWS\crhl32.exe
C:\WINDOWS\atlok32.exe
C:\WINDOWS\system32\atlbf32.exe
C:\WINDOWS\ielk.exe
C:\WINDOWS\system32\ieez32.exe
C:\WINDOWS\addun32.exe
C:\WINDOWS\system32\sysde.exe
C:\WINDOWS\system32\d3qw.exe
C:\WINDOWS\system32\mssx.exe
C:\WINDOWS\system32\addtd32.exe
C:\WINDOWS\system32\javaeu.exe
C:\WINDOWS\mshq32.exe
C:\WINDOWS\system32\netxw.exe
C:\WINDOWS\appms.exe
C:\WINDOWS\system32\javapa32.exe
C:\WINDOWS\system32\addpo32.exe
C:\WINDOWS\ipqt32.exe
C:\WINDOWS\sysbl32.exe
C:\WINDOWS\mshh32.exe
C:\WINDOWS\winub32.exe
C:\WINDOWS\apptw32.exe
C:\WINDOWS\crvw32.exe
C:\WINDOWS\system32\ntsw.exe
C:\WINDOWS\javaix32.exe
C:\WINDOWS\ipgc.exe
C:\WINDOWS\mfcpa32.exe
C:\WINDOWS\ntdi32.exe
C:\WINDOWS\ntqg32.exe
C:\WINDOWS\system32\syszt.exe
C:\WINDOWS\system32\atlqo.exe
C:\WINDOWS\ipjs32.exe
C:\WINDOWS\system32\crdo32.exe
C:\WINDOWS\system32\netqd.exe
C:\WINDOWS\system32\d3vk.exe
C:\WINDOWS\appbj32.exe
C:\WINDOWS\addhe.exe
C:\WINDOWS\netxu32.exe
C:\WINDOWS\appko.exe
C:\WINDOWS\system32\iewi32.exe
C:\WINDOWS\javasr.exe
C:\WINDOWS\appgo32.exe
C:\WINDOWS\system32\crxk.exe
C:\WINDOWS\ntod32.exe
C:\WINDOWS\apppu.exe
C:\WINDOWS\sdkeb.exe
C:\WINDOWS\apirw32.exe
C:\WINDOWS\mszm32.exe
C:\WINDOWS\ntpy.exe
C:\WINDOWS\winbo.exe
C:\WINDOWS\system32\ipyb.exe
C:\WINDOWS\ntad32.exe
C:\WINDOWS\apihw32.exe
C:\WINDOWS\appns32.exe
C:\WINDOWS\system32\mfcvu32.exe
C:\WINDOWS\netca.exe
C:\WINDOWS\system32\apppl32.exe
C:\WINDOWS\system32\javapq.exe
C:\WINDOWS\system32\crls32.exe
C:\WINDOWS\system32\crxg.exe
C:\WINDOWS\system32\netee.exe
C:\WINDOWS\system32\javazp32.exe
C:\WINDOWS\system32\atlwp.exe
C:\WINDOWS\system32\mfcsc32.exe
C:\WINDOWS\system32\d3bb32.exe
C:\WINDOWS\system32\ipxb.exe
C:\WINDOWS\system32\iell32.exe
C:\WINDOWS\netou.exe
C:\WINDOWS\sdkvb32.exe
C:\WINDOWS\system32\winha32.exe
C:\WINDOWS\system32\apifg32.exe
C:\WINDOWS\appmj.exe
C:\WINDOWS\system32\atlae32.exe
C:\WINDOWS\sdkdl32.exe
C:\WINDOWS\system32\appoa.exe
C:\WINDOWS\ntpi.exe
C:\WINDOWS\msjt32.exe
C:\WINDOWS\appmf.exe
C:\WINDOWS\system32\mfcyo32.exe
C:\WINDOWS\sdkhg32.exe
C:\WINDOWS\atljl.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Restart and run a new HijackThis scan.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here.
__________________
I won a nobel prize too!!
bry623 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-13-2005, 04:26 PM   #3 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


here is my log files from AboutBuster and Hijackthis
AboutBuster 5.0 reference file 30
Scan started on [7/13/2005] at [6:10:28 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\baabf.log:ubbdui
Removed Stream! C:\WINDOWS\bcwzf.log:qdtxjy
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:mtmiwk
Removed Stream! C:\WINDOWS\bootstat.dat:iemddb
Removed Stream! C:\WINDOWS\clock.avi:dvrcld
Removed Stream! C:\WINDOWS\comsetup.log:vwkhfn
Removed Stream! C:\WINDOWS\CTDV10K2.CDF:hxwmh
Removed Stream! C:\WINDOWS\d3dx.dat:ctahvb
Removed Stream! C:\WINDOWS\dasetup.log:jqdot
Removed Stream! C:\WINDOWS\fahvm.dat:cwqkts
Removed Stream! C:\WINDOWS\foreo.txt:vxbxnu
Removed Stream! C:\WINDOWS\gciap.dat:lizeyq
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:djsjaa
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:fwylqm
Removed Stream! C:\WINDOWS\GTINFO.INI:xxqzko
Removed Stream! C:\WINDOWS\iis6.log:fmgtfn
Removed Stream! C:\WINDOWS\iumax.dat:ymqyzx
Removed Stream! C:\WINDOWS\KB828035.log:rcfvj
Removed Stream! C:\WINDOWS\KB835732.log:tlryrc
Removed Stream! C:\WINDOWS\KB837001.log:wgldld
Removed Stream! C:\WINDOWS\KB839643-DirectX9.log:uvqmah
Removed Stream! C:\WINDOWS\KB839645.log:gdcxsw
Removed Stream! C:\WINDOWS\KB840374.log:lycxf
Removed Stream! C:\WINDOWS\KB841873.log:zevlmh
Removed Stream! C:\WINDOWS\KB887742.log:lcktyn
Removed Stream! C:\WINDOWS\KB888113.log:jzzyp
Removed Stream! C:\WINDOWS\KB890046.log:dcczay
Removed Stream! C:\WINDOWS\KB890047.log:upgtw
Removed Stream! C:\WINDOWS\KB891781.log:ftmicq
Removed Stream! C:\WINDOWS\KB893803.log:nqmweu
Removed Stream! C:\WINDOWS\KB893803v2.log:xtfvet
Removed Stream! C:\WINDOWS\KB896422.log:grwbgx
Removed Stream! C:\WINDOWS\LPT$VPN.923:ujrixt
Removed Stream! C:\WINDOWS\lvawa.log:qjmdos
Removed Stream! C:\WINDOWS\ODBC.INI:socgzi
Removed Stream! C:\WINDOWS\phhhb.log:dpvmts
Removed Stream! C:\WINDOWS\Q815021.log:maktyd
Removed Stream! C:\WINDOWS\Q817287.log:saiid
Removed Stream! C:\WINDOWS\regopt.log:vtltz
Removed Stream! C:\WINDOWS\SBWIN.INI:rkgqny
Removed Stream! C:\WINDOWS\sessmgr.setup.log:jlzwpi
Removed Stream! C:\WINDOWS\sessmgr.setup.log:qjyblz
Removed Stream! C:\WINDOWS\setupapi.log:oignx
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:abzfd
Removed Stream! C:\WINDOWS\spupdsvc.log:enrjda
Removed Stream! C:\WINDOWS\spupdsvc.log:sfnpni
Removed Stream! C:\WINDOWS\SYMEVENT.LOG:kgxdhs
Removed Stream! C:\WINDOWS\SYMEVENT.LOG:wokoxk
Removed Stream! C:\WINDOWS\vb.ini:btelex
Removed Stream! C:\WINDOWS\wmsetup.log:fgpvc
Removed Stream! C:\WINDOWS\yxtqy.dat:otcpgc
Removed Stream! C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-00531102}.CDF:ahpmh
------------------------------------------------
Removed File! : C:\Windows\gwzpb.dll
Removed File! : C:\Windows\jhvhd.dll
Removed File! : C:\Windows\rgdsn.dll
Removed File! : C:\Windows\rhfzn.dll
Removed File! : C:\Windows\untnf.dll
Removed File! : C:\Windows\System32\aiutq.dll
Removed File! : C:\Windows\System32\argds.dat
Removed File! : C:\Windows\System32\ckzkj.dll
Removed File! : C:\Windows\System32\yfetv.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:11:21 PM


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:25:41 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\ntji32.exe
C:\WINDOWS\system32\cruj32.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\$NtServicePackUninstall$\notepad.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {DC73983B-D030-AD00-8DD5-12322CEA9002} - C:\WINDOWS\atlqm32.dll
O2 - BHO: Class - {E67AAEA4-63EA-88A3-538E-D852FAE59639} - C:\WINDOWS\ntzz32.dll
O2 - BHO: Class - {F81F861E-BD6D-4CF2-2AC2-69DCF3E68324} - C:\WINDOWS\system32\atlok.dll
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x63b8e1\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ntji32.exe] C:\WINDOWS\system32\ntji32.exe
O4 - HKLM\..\RunOnce: [netcr.exe] C:\WINDOWS\system32\netcr.exe
O4 - HKLM\..\RunOnce: [apift32.exe] C:\WINDOWS\system32\apift32.exe
O4 - HKLM\..\RunOnce: [crrz32.exe] C:\WINDOWS\crrz32.exe
O4 - HKLM\..\RunOnce: [javaop32.exe] C:\WINDOWS\javaop32.exe
O4 - HKLM\..\RunOnce: [cruj32.exe] C:\WINDOWS\system32\cruj32.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61ECA-6052-4A3F-88F9-D39ADAA280EE}: NameServer = 192.168.1.1
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netcr.exe" /s (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE


End of KRC HijackThis Analyzer Log.
====================================================================
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-13-2005, 04:38 PM   #4 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,481
OS: XP SP2


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do not run this yet.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.


Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\system32\ntji32.exe
C:\WINDOWS\system32\cruj32.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

3 - Default URLSearchHook is missing
O2 - BHO: Class - {DC73983B-D030-AD00-8DD5-12322CEA9002} - C:\WINDOWS\atlqm32.dll
O2 - BHO: Class - {E67AAEA4-63EA-88A3-538E-D852FAE59639} - C:\WINDOWS\ntzz32.dll
O2 - BHO: Class - {F81F861E-BD6D-4CF2-2AC2-69DCF3E68324} - C:\WINDOWS\system32\atlok.dll
O4 - HKLM\..\Run: [ntji32.exe] C:\WINDOWS\system32\ntji32.exe
O4 - HKLM\..\RunOnce: [netcr.exe] C:\WINDOWS\system32\netcr.exe
O4 - HKLM\..\RunOnce: [apift32.exe] C:\WINDOWS\system32\apift32.exe
O4 - HKLM\..\RunOnce: [crrz32.exe] C:\WINDOWS\crrz32.exe
O4 - HKLM\..\RunOnce: [javaop32.exe] C:\WINDOWS\javaop32.exe
O4 - HKLM\..\RunOnce: [cruj32.exe] C:\WINDOWS\system32\cruj32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netcr.exe" /s (file missing)

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\atlqm32.dll
C:\WINDOWS\ntzz32.dll
C:\WINDOWS\system32\atlok.dll
C:\WINDOWS\system32\ntji32.exe
C:\WINDOWS\system32\netcr.exe
C:\WINDOWS\system32\apift32.exe
C:\WINDOWS\crrz32.exe
C:\WINDOWS\javaop32.exe
C:\WINDOWS\system32\cruj32.exe
C:\WINDOWS\system32\netcr.exe

Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections.

Restart and run a new HijackThis scan. Save the log file and post it here.

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-13-2005, 07:05 PM   #5 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


Here is the log files you asked for
Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW'
Found 'SearchAssistant' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Found 'SearchAssistant' in 'Software\Microsoft\Internet Explorer\Search'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Internet URL Shortcuts
Found 'Ab scissor.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Broadband comparison.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Credit counseling.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Credit report.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Crm software.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Debt credit card.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Escorts.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Fha.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Health insurance.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Help desk software.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Insurance home.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Loan for debt consolidation.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Loan for people with bad credit.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Marketing email.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Mortgage insurance.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Nevada corporations.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Online Betting Site.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Online gambling casino.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Online instant loan.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Order phentermine.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Payroll advance.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Personal loans online.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Personal loans with bad credit.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Prescription Drugs Rx Online.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Refinancing my mortgage.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Tahoe vacation rental.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Unsecured bad credit loans.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Videos.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'What is hydrocodone.url' in 'C:\Documents and Settings\Administrator\Favorites\Sites about\'
Found 'Only sex website.url' in 'C:\Documents and Settings\Administrator\Favorites\'
Files and Directories
Found 'Dc45.dll' in 'C:\RECYCLER\S-1-5-21-1659004503-1417001333-839522115-500'
Found 'hbmtu.dll' in 'C:\WINDOWS'
Found 'ppumn.dll' in 'C:\WINDOWS'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\RECYCLER\S-1-5-21-1659004503-1417001333-839522115-500\Dc45.dll' in shortcut areas.
Checking for 'C:\RECYCLER\S-1-5-21-1659004503-1417001333-839522115-500\Dc45.dll' in startup areas.
Cleaning 'C:\RECYCLER\S-1-5-21-1659004503-1417001333-839522115-500\Dc45.dll'
Checking for 'C:\WINDOWS\hbmtu.dll' in shortcut areas.
Checking for 'C:\WINDOWS\hbmtu.dll' in startup areas.
Cleaning 'C:\WINDOWS\hbmtu.dll'
Checking for 'C:\WINDOWS\ppumn.dll' in shortcut areas.
Checking for 'C:\WINDOWS\ppumn.dll' in startup areas.
Cleaning 'C:\WINDOWS\ppumn.dll'
Finished Cleaning




Logfile of HijackThis v1.99.1
Scan saved at 8:33:09 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\javagw.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {04E44D61-38BB-E8B2-A1A9-21ADD21CA485} - C:\WINDOWS\system32\winsj32.dll
O2 - BHO: Class - {4042A8E0-BAA2-710A-F824-37FCA490315F} - C:\WINDOWS\addul32.dll
O2 - BHO: Class - {77FD445F-CF6B-1197-7FEB-5C10F23E6515} - C:\WINDOWS\cryd.dll
O2 - BHO: Class - {9C387401-74A1-3A38-54D6-F1A1BFD62928} - C:\WINDOWS\apidx32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x63b8e1\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netfh.exe] C:\WINDOWS\system32\netfh.exe
O4 - HKLM\..\Run: [javagw.exe] C:\WINDOWS\system32\javagw.exe
O4 - HKLM\..\RunOnce: [mfccx32.exe] C:\WINDOWS\mfccx32.exe
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61ECA-6052-4A3F-88F9-D39ADAA280EE}: NameServer = 192.168.1.1
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netcr.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe






Incident Status Location

Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Administrator\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Administrator\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Administrator\Favorites\Seven days of free porn.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Administrator\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[NDNuninstall6_38.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[newdotnet6_38.dll.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[uninstall3_88.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[uninstall6_38.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260430.zip[newdDE18.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3CJPEG.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3HISTSW.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[f3initialsetup1.0.0.8-2.inf.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3PSSAVR.SCR.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[f3PSSavr.scr.001]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3RESTUB.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3SCHMON.EXE.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3WPHOOK.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[M3OUTLCN.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[M3SKIN.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[MWSOEMON.EXE.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[NPMYWEBS.DLL.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][adddk32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][addpf.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][addse.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][apign.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atlnu.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atltd32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atlug.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][crwp32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][d3kx.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][ipdg32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][ippe32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][mfcye32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][netic.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysmh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysmu32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysst.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][winem.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[addvo32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[apiqq32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[crtl32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[iegk32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[mfcag32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[mspo.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[sysup.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[winab32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[winbj.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][addao32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][crbh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][mfcmm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][addao32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][crbh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][mfcmm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][ipoo.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][javavm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][mfcpm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][msmf.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][netri32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][sdkqv32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][sdkxy32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][sdkzp.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[200507120522.zip.000][200507060332.zip.000][syszo32.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[aqezi.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[hiitu.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[pmlrk.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[wpsgd.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507130210.zip[yfccf.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\adddq.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\d3qc32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ipai.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ipka32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnv32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\mfcun.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\mscy.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msoq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntgb.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nttj32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rekgz.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apies32.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\IETie.dll
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\system32\sysme.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\ufatd.dll
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-14-2005, 02:46 AM   #6 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,481
OS: XP SP2


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hbmtu.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {04E44D61-38BB-E8B2-A1A9-21ADD21CA485} - C:\WINDOWS\system32\winsj32.dll
O2 - BHO: Class - {4042A8E0-BAA2-710A-F824-37FCA490315F} - C:\WINDOWS\addul32.dll
O2 - BHO: Class - {77FD445F-CF6B-1197-7FEB-5C10F23E6515} - C:\WINDOWS\cryd.dll
O2 - BHO: Class - {9C387401-74A1-3A38-54D6-F1A1BFD62928} - C:\WINDOWS\apidx32.dll
O4 - HKLM\..\Run: [netfh.exe] C:\WINDOWS\system32\netfh.exe
O4 - HKLM\..\Run: [javagw.exe] C:\WINDOWS\system32\javagw.exe
O4 - HKLM\..\RunOnce: [mfccx32.exe] C:\WINDOWS\mfccx32.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\hbmtu.dll
C:\WINDOWS\system32\winsj32.dll
C:\WINDOWS\addul32.dll
C:\WINDOWS\cryd.dll
C:\WINDOWS\apidx32.dll
C:\WINDOWS\system32\netfh.exe
C:\WINDOWS\system32\javagw.exe
C:\WINDOWS\mfccx32.exe
C:\Documents and Settings\Administrator\Favorites\Only sex website.url
C:\Documents and Settings\Administrator\Favorites\Search the web.url
C:\Documents and Settings\Administrator\Favorites\Seven days of free porn.url
C:\Documents and Settings\Administrator\Favorites\Sites about
C:\WINDOWS\adddq.exe
C:\WINDOWS\appaz32.exe
C:\WINDOWS\d3qc32.exe
C:\WINDOWS\ipai.exe
C:\WINDOWS\ipka32.exe
C:\WINDOWS\ipnv32.exe
C:\WINDOWS\mfcun.exe
C:\WINDOWS\mscy.exe
C:\WINDOWS\msoq32.exe
C:\WINDOWS\ntgb.exe
C:\WINDOWS\nttj32.exe
C:\WINDOWS\rekgz.dll
C:\WINDOWS\system32\apies32.exe
C:\WINDOWS\system32\IETie.dll
C:\WINDOWS\system32\sysme.exe
C:\WINDOWS\system32\ufatd.dll

Restart and run a new HijackThis scan. Save the log file and post it here.

Run a new HJT scan, and a new Panda ActiveScan. Save the results and bring them BOTH with you in your next post.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-14-2005, 03:28 AM   #7 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


I think you are getting close to finishing.
Logfile of HijackThis v1.99.1
Scan saved at 5:02:32 AM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AC744CBB-CAE9-45FF-286D-02D68E9FC988} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x63b8e1\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61ECA-6052-4A3F-88F9-D39ADAA280EE}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





Incident Status Location

Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[NDNuninstall6_38.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[newdotnet6_38.dll.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[uninstall3_88.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260210.zip[uninstall6_38.exe.000]
Spyware:Spyware/New.net No disinfected C:\Program Files\Spyware Nuker 2004\backup\200506260430.zip[newdDE18.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3CJPEG.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3HISTSW.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[f3initialsetup1.0.0.8-2.inf.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3PSSAVR.SCR.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[f3PSSavr.scr.001]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3RESTUB.DLL.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3SCHMON.EXE.000]
Adware:Adware/FunWeb No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[F3WPHOOK.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[M3OUTLCN.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[M3SKIN.DLL.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[MWSOEMON.EXE.000]
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507050412.zip[NPMYWEBS.DLL.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][adddk32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][addpf.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][addse.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][apign.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atlnu.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atltd32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][atlug.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][crwp32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][d3kx.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][ipdg32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][ippe32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][mfcye32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][netic.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysmh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysmu32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][sysst.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[200507051742.zip.000][winem.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[addvo32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[apiqq32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[crtl32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[iegk32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[mfcag32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[mspo.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[sysup.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[winab32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507060100.zip[winbj.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][addao32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][crbh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060158.zip.000][200507060132.zip.000][mfcmm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][addao32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][crbh32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][200507060132.zip.000][mfcmm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][ipoo.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][javavm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][mfcpm32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][msmf.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][netri32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][sdkqv32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][sdkxy32.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][sdkzp.exe.000]
Adware:Adware/SearchAid No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][200507120522.zip.000][200507060332.zip.000][syszo32.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][aqezi.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][hiitu.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][pmlrk.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][wpsgd.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[200507130210.zip.000][yfccf.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[adddq.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[biffl.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[d3qc32.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[ekkel.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[ipai.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[ipka32.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[mfcun.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[mscy.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[nttj32.exe.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[rekgz.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[tvhqs.dll.000]
Adware:Adware/Startpage.VQ No disinfected C:\Program Files\Spyware Nuker 2004\backup\200507140318.zip[ufatd.dll.000]
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\IETie.dll
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-14-2005, 03:45 AM   #8 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,481
OS: XP SP2


Empty this folder:

C:\Program Files\Spyware Nuker 2004\backup\

It contains backups of the bad guys.

HJT log is looking much better now. Stay in Normal Mode and do the following HJT fixes.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AC744CBB-CAE9-45FF-286D-02D68E9FC988} - (no file)

Re run HJT to produce a new log. Save the results and bring them with you in your next post.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-14-2005, 12:30 PM   #9 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


I think we have the problem solved, but I will wait to hear from you first.
Logfile of HijackThis v1.99.1
Scan saved at 2:31:02 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x63b8e1\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealAudio.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B61ECA-6052-4A3F-88F9-D39ADAA280EE}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-14-2005, 01:06 PM   #10 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,481
OS: XP SP2


Your log is clean.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-15-2005, 03:04 AM   #11 (permalink)
Registered User
 
Join Date: Jul 2005
Posts: 6
OS: XP Pro


Everything is perfect now.
THANKS! you were a great help.
leyhunter is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:57 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85