• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gbasham

HijackThis log check please!

6 posts in this topic

I just scanned using HiJack This and have created a log which needs reviewed. I have an idead as to which files are corrupt but would like another opinion. Thanks!

Logfile of HijackThis v1.97.7

Scan saved at 10:59:17 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\netyo32.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\WINDOWS\iegr32.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Palm\hotsync.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\webshots.scr

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=99

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iucia.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iucia.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://iucia.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iucia.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iucia.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iucia.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {73BBFCD2-1DDD-E846-38F4-C12CBBE9C89E} - C:\WINDOWS\sdkol.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd

O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe

O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup

O4 - HKLM\..\Run: [iegr32.exe] C:\WINDOWS\iegr32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKLM\..\RunOnce: [netyo32.exe] C:\WINDOWS\netyo32.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1067871399557

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3FE489A9-B78F-4698-9563-0AEC1080DFD0} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll

O16 - DPF: {4F350B99-4763-48DE-AD8A-9199433CE496} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4010/ftp...21/cpbrkpie.cab

O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp...20/cpbrxpie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Edited by gbasham

Share this post


Link to post
Share on other sites

Hi gbasham,

 

First, go to Add/Remove Programs and uninstall WinTools. If you get an error, boot into safe mode and uninstall while in safe mode.

 

Next, move hijackthis into it's own permanent folder on your hard drive (Ex: C:\HJT). Run it from that location and place check marks in the following entries. Tell HijackThis to 'Fix checked' (make sure all windows except HijackThis are closed).

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=99

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99

O2 - BHO: (no name) - {73BBFCD2-1DDD-E846-38F4-C12CBBE9C89E} - C:\WINDOWS\sdkol.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd

O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe

O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup

O4 - HKLM\..\Run: [iegr32.exe] C:\WINDOWS\iegr32.exe

O4 - HKLM\..\RunOnce: [netyo32.exe] C:\WINDOWS\netyo32.exe

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4010/ftp...21/cpbrkpie.cab

O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp...20/cpbrxpie.cab

 

Configure your computer to show hidden files.

 

Then reboot your computer in safe mode and delete the following folders:

C:\PROGRAM FILES\ACCELE~1

 

Reboot your computer.

 

Next, go here and download a program called About:Buster:

http://tools.zerosrealm.com/AboutBuster.zip

 

Extract the .exe file to your desktop, then run it. Click Ok twice and then click start to begin the scan. This will scan your computer for the bad files responsible for your homepage hijacker. When finished, copy the contents of that report back into this thread, along with a new hijackthis log.

Share this post


Link to post
Share on other sites

Thanks for your help. AboutBuster scanned but didn't seem to remove. I still have the wrong homepage. Here are the current logs. When I went to check the items from the original HiJackThis log, some of the items were not there. I checked the ones that were.

 

About:Buster Version 1.21

Error Removing! : C:\WINDOWS\iepc32.exe

Error Removing! : C:\WINDOWS\mfcnq32.exe

Error Removing! : C:\WINDOWS\sdkol.exe

Error Removing! : C:\WINDOWS\cctbr.dat

Error Removing! : C:\WINDOWS\cgggp.dat

Error Removing! : C:\WINDOWS\djfkdu.dat

Error Removing! : C:\WINDOWS\exzzly.dat

Error Removing! : C:\WINDOWS\fuqwc.dat

Error Removing! : C:\WINDOWS\gvlbwg.dat

Error Removing! : C:\WINDOWS\gymkc.dat

Error Removing! : C:\WINDOWS\jkewxn.dat

Error Removing! : C:\WINDOWS\jrxfia.dat

Error Removing! : C:\WINDOWS\kbbioo.dat

Error Removing! : C:\WINDOWS\kcuzxv.dat

Error Removing! : C:\WINDOWS\kwpjre.dat

Error Removing! : C:\WINDOWS\piwqe.dat

Error Removing! : C:\WINDOWS\qtvaq.dat

Error Removing! : C:\WINDOWS\ujgym.dat

Error Removing! : C:\WINDOWS\wdjzr.dat

Error Removing! : C:\WINDOWS\wnexe.dat

Error Removing! : C:\WINDOWS\yjcoby.dat

Error Removing! : C:\WINDOWS\yvpil.dat

Error Removing! : C:\WINDOWS\zmvkwf.dat

Error Removing! : C:\WINDOWS\iucia.dll

Error Removing! : C:\WINDOWS\System32\adddc32.exe

Error Removing! : C:\WINDOWS\System32\addeg.exe

Error Removing! : C:\WINDOWS\System32\kwood.dll

Error Removing! : C:\WINDOWS\System32\qaqyg.dll

Error Removing! : C:\WINDOWS\System32\ehkct.dat

Error Removing! : C:\WINDOWS\System32\fjlcr.dat

Error Removing! : C:\WINDOWS\System32\kcuzx.dat

Error Removing! : C:\WINDOWS\System32\ngwok.dat

Error Removing! : C:\WINDOWS\System32\ofluj.dat

Error Removing! : C:\WINDOWS\System32\ukfkz.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 12:10:53 AM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\mfcnq32.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\iegr32.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Palm\hotsync.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\webshots.scr

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qaqyg.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qaqyg.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qaqyg.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qaqyg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qaqyg.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qaqyg.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6D58C42B-F3E4-0DB4-ADBC-A8C500E70B4A} - C:\WINDOWS\system32\appgc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iegr32.exe] C:\WINDOWS\iegr32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1067871399557

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3FE489A9-B78F-4698-9563-0AEC1080DFD0} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll

O16 - DPF: {4F350B99-4763-48DE-AD8A-9199433CE496} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4010/ftp...21/cpbrkpie.cab

O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp...20/cpbrxpie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

Thanks again OSC. I know we must be on the right track.

Share this post


Link to post
Share on other sites

Hi gbasham,

 

Well, for some reason that tool could not remove the bad files. Are you logged on with an account that has administrative rights?? This tool needs administrative rights to work properly.

 

As long as your login account has admin rights, boot into safe mode and run about:buster, following the same removal procedure. Copy the about:buster log and reboot your computer. Post that log back into this thread along with an updated hijackthis log.

Share this post


Link to post
Share on other sites

Thanks OSC. Here is my 3rd scan of each. I have removede WinTools and opened my hidden files. I couldn't find the C:\PROGRAM FILES\ACCELE file.

 

About:Buster Version 1.21

Removed! : C:\WINDOWS\iebu32.exe

Removed! : C:\WINDOWS\ipfc32.exe

Removed! : C:\WINDOWS\qtvaq.dat

Removed! : C:\WINDOWS\System32\ntlw.exe

Removed! : C:\WINDOWS\System32\sdkbs32.exe

Removed! : C:\WINDOWS\System32\qaqyg.dll

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed __NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 9:12:47 AM, on 6/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Palm\hotsync.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\webshots.scr

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\iegr32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\mswz.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6D58C42B-F3E4-0DB4-ADBC-A8C500E70B4A} - C:\WINDOWS\system32\appgc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iegr32.exe] C:\WINDOWS\iegr32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKLM\..\RunOnce: [sdkbs32.exe] C:\WINDOWS\system32\sdkbs32.exe

O4 - HKLM\..\RunOnce: [ipfc32.exe] C:\WINDOWS\ipfc32.exe

O4 - HKLM\..\RunOnce: [ntlw.exe] C:\WINDOWS\system32\ntlw.exe

O4 - HKLM\..\RunOnce: [mswz.exe] C:\WINDOWS\mswz.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1067871399557

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3FE489A9-B78F-4698-9563-0AEC1080DFD0} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll

O16 - DPF: {4F350B99-4763-48DE-AD8A-9199433CE496} - http://www.e-trends.com/globalconfig/nsconfig_th.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Share this post


Link to post
Share on other sites

Hi gbasham,

 

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {6D58C42B-F3E4-0DB4-ADBC-A8C500E70B4A} - C:\WINDOWS\system32\appgc.dll

O4 - HKLM\..\Run: [iegr32.exe] C:\WINDOWS\iegr32.exe

O4 - HKLM\..\RunOnce: [sdkbs32.exe] C:\WINDOWS\system32\sdkbs32.exe

O4 - HKLM\..\RunOnce: [ipfc32.exe] C:\WINDOWS\ipfc32.exe

O4 - HKLM\..\RunOnce: [ntlw.exe] C:\WINDOWS\system32\ntlw.exe

O4 - HKLM\..\RunOnce: [mswz.exe] C:\WINDOWS\mswz.exe

 

Since we had some repeat entries in here, please download the latest version of about:buster again from here:

http://tools.zerosrealm.com/AboutBuster.zip

 

and run it one more time, this time in regular mode. Post the contents back here. Also post a new hijackthis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0