Jump to content


Photo

PAL Spyware Remover hijacking IE browser


  • This topic is locked This topic is locked
9 replies to this topic

#1 jpf232

jpf232

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 10 October 2004 - 04:32 PM

The url is http://www3.palsol.c...html?hop=ad2004

I know the issue is with the first entry in the log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank...2004/spywarerem

I've fixed the entry with HiJackThis several times, but it reappears after each reboot.

Logfile of HijackThis v1.98.2
Scan saved at 5:26:45 PM, on 10/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank...2004/spywarerem
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)
O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)
O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)
O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)
O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)
O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)
O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)
O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)
O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)
O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)
O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)
O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)
O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)
O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)
O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)
O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)
O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)
O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)
O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)
O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)
O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)
O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)
O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)
O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cabview223b.dll

Thanks for your assistance.

#2 jpf232

jpf232

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 12 October 2004 - 11:53 AM

bump

#3 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 15 October 2004 - 08:02 PM

Dear jpf232,

Hello and welcome to SWI. Thank you for your patience. I have reviewed your HijackThis log and it does not appear to be too bad. :p

First of all, you may want to print out this post so that you have a hard copy of these instructions.

Please download Registrar Lite from here:
http://www.resplende...oad/reglite.exe
Install and run it. Please copy and paste the following registry key to the "address bar" at the top of the screen and then click "Go":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Please right-click the Windows key in the left-hand panel and choose "Rename". Rename the key to WindowsOld. Then double-click on the AppInit_DLLs entry in the right-hand panel. In the "value" field should appear the following data:
C:\WINDOWS\system32\cabview223b.dll

Please delete this data, and then click OK. Then please rename the WindowsOld key in the left-hand panel back to Windows. Close Registrar Lite.

Next, please run HijackThis and click "Scan." Place a check next to the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank...2004/spywarerem


Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis remove the entry you checked.

Finally, please restart your computer and then post a new HijackThis log. :D

#4 jpf232

jpf232

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 October 2004 - 01:44 PM

Logfile of HijackThis v1.98.2
Scan saved at 2:40:06 PM, on 10/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buy-1800wneii...=173&affid=6769
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)
O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)
O9 - Extra button: (no name) - {1DC94F46-59F9-4062-B4E7-27151AA09F00} - (no file) (HKCU)
O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)
O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)
O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)
O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)
O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)
O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)
O9 - Extra button: (no name) - {8538AAC7-9E5D-4F91-990A-8B710D69DB31} - (no file) (HKCU)
O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)
O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)
O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)
O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)
O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)
O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)
O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)
O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)
O9 - Extra button: (no name) - {B9E8D850-9832-4B10-833E-0269EC04026A} - (no file) (HKCU)
O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)
O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)
O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)
O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)
O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)
O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)
O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)
O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)
O9 - Extra button: (no name) - {F8B413A3-EE49-47C5-9C39-BBA6484C1A18} - (no file) (HKCU)
O9 - Extra button: (no name) - {FA1A03D0-3BFA-4C70-AC5F-B1F961DA13DC} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\KBDFI336s.dll

#5 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 16 October 2004 - 10:42 PM

jpf232,

Looks like we didn't quite get everything. Please download TheKillbox from here:
http://www.downloads...org/KillBox.zip
Unzip it to the desktop, but do not run it yet. We will need it later.

Please run HijackThis and click "Scan". Then place checks next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buy-1800wneii...=173&affid=6769
O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"

Also, please put a check next to the entry marked "O20 - AppInit_DLLs" at the very bottom of the log. It currently looks like this:

O20 - AppInit_DLLs: C:\WINDOWS\system32\KBDFI336s.dll

However, it seems to keep changing its name, so it will most likely have a different file name by the time you are following these instructions. However, please write down whatever file name the entry uses before you check it, because you will need it again afterwards. Regardless of the precise file name the entry contains, please check it.

Then please close all open windows and then click "Fix Checked".

Now please run TheKillbox from the desktop. In the "Full path of file to delete" field, insert the full path and name of the file from the O20 entry you just removed. So for the example above, you would type C:\WINDOWS\system32\KDBFI336s.dll, but I emphasize that it is very likely that the name will have changed by the time you follow these instructions. Check "Delete on reboot" and then click the red button with the white cross to start the delete. Follow the prompts and restart your computer when requested.

After your computer has rebooted, please delete:
C:\WINDOWS\System32\hpzcon04886g.exe

Then please reboot your computer once more and then post a new HijackThis log. Hope we got it this time.... If not, I still have more tricks up my sleeve. :D

#6 jpf232

jpf232

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 October 2004 - 05:40 PM

Logfile of HijackThis v1.98.2
Scan saved at 6:35:57 PM, on 10/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)
O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)
O9 - Extra button: (no name) - {1DC94F46-59F9-4062-B4E7-27151AA09F00} - (no file) (HKCU)
O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)
O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)
O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)
O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)
O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)
O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)
O9 - Extra button: (no name) - {8538AAC7-9E5D-4F91-990A-8B710D69DB31} - (no file) (HKCU)
O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)
O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)
O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)
O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)
O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)
O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)
O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)
O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)
O9 - Extra button: (no name) - {B9E8D850-9832-4B10-833E-0269EC04026A} - (no file) (HKCU)
O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)
O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)
O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)
O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)
O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)
O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)
O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)
O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)
O9 - Extra button: (no name) - {F8B413A3-EE49-47C5-9C39-BBA6484C1A18} - (no file) (HKCU)
O9 - Extra button: (no name) - {FA1A03D0-3BFA-4C70-AC5F-B1F961DA13DC} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

#7 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 17 October 2004 - 09:07 PM

Hi jpf232 :)

Your log looks clean to me. Are you still having any symptoms of infection?

#8 jpf232

jpf232

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 October 2004 - 01:57 PM

Things look good right now. I just turned on my pc and the problem appears to be gone.

Thank you for your help on this matter. Have a great day.

#9 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 18 October 2004 - 07:00 PM

Dear jpf232,

Glad to hear it is gone! :D
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :p


1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following programs:

Ad-Aware
http://www.lavasoftu...oftware/adaware
Spybot-Search & Destroy
http://www.safer-net...org/en/download
SpywareBlaster
http://www.javacools...areblaster.html
SpywareGuard
http://www.javacools...ywareguard.html

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://ftp.mozilla.o.....tup 1.0PR.exe

4) Also make sure to run your anti-virus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. A good free firewall is ZoneAlarm, available at http://www.zonelabs....reeDownload.jsp.

You may also want to read Tony Klein's article on "How I got Infected in the First Place":
http://forums.net-in...?showtopic=3051

Hopefully this should take care of your problems! Good luck. :D

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 November 2004 - 08:00 AM

Glad to see you were able to resolve your problem.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!