• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
jpf232

PAL Spyware Remover hijacking IE browser

10 posts in this topic

The url is http://www3.palsol.com/spyrem_offer/index.html?hop=ad2004

 

I know the issue is with the first entry in the log:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank.net/?ad2004/spywarerem

 

I've fixed the entry with HiJackThis several times, but it reappears after each reboot.

 

Logfile of HijackThis v1.98.2

Scan saved at 5:26:45 PM, on 10/10/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HiJack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank.net/?ad2004/spywarerem

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)

O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)

O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)

O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)

O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)

O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)

O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)

O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)

O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)

O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)

O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)

O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)

O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)

O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)

O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)

O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)

O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)

O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)

O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)

O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)

O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)

O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)

O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)

O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)

O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)

O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)

O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\cabview223b.dll

 

Thanks for your assistance.

Share this post


Link to post
Share on other sites

Dear jpf232,

 

Hello and welcome to SWI. Thank you for your patience. I have reviewed your HijackThis log and it does not appear to be too bad. :p

 

First of all, you may want to print out this post so that you have a hard copy of these instructions.

 

Please download Registrar Lite from here:

http://www.resplendence.com/download/reglite.exe

Install and run it. Please copy and paste the following registry key to the "address bar" at the top of the screen and then click "Go":

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Please right-click the Windows key in the left-hand panel and choose "Rename". Rename the key to WindowsOld. Then double-click on the AppInit_DLLs entry in the right-hand panel. In the "value" field should appear the following data:

C:\WINDOWS\system32\cabview223b.dll

 

Please delete this data, and then click OK. Then please rename the WindowsOld key in the left-hand panel back to Windows. Close Registrar Lite.

 

Next, please run HijackThis and click "Scan." Place a check next to the following entry:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hop.clickbank.net/?ad2004/spywarerem

 

 

Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis remove the entry you checked.

 

Finally, please restart your computer and then post a new HijackThis log. :D

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 2:40:06 PM, on 10/16/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HiJack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buy-1800wneiis.info?id=173&affid=6769

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)

O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)

O9 - Extra button: (no name) - {1DC94F46-59F9-4062-B4E7-27151AA09F00} - (no file) (HKCU)

O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)

O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)

O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)

O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)

O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)

O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)

O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)

O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)

O9 - Extra button: (no name) - {8538AAC7-9E5D-4F91-990A-8B710D69DB31} - (no file) (HKCU)

O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)

O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)

O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)

O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)

O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)

O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)

O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)

O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)

O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)

O9 - Extra button: (no name) - {B9E8D850-9832-4B10-833E-0269EC04026A} - (no file) (HKCU)

O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)

O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)

O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)

O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)

O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)

O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)

O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)

O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)

O9 - Extra button: (no name) - {F8B413A3-EE49-47C5-9C39-BBA6484C1A18} - (no file) (HKCU)

O9 - Extra button: (no name) - {FA1A03D0-3BFA-4C70-AC5F-B1F961DA13DC} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\KBDFI336s.dll

Share this post


Link to post
Share on other sites

jpf232,

 

Looks like we didn't quite get everything. Please download TheKillbox from here:

http://www.downloads.subratam.org/KillBox.zip

Unzip it to the desktop, but do not run it yet. We will need it later.

 

Please run HijackThis and click "Scan". Then place checks next to the following entries:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buy-1800wneiis.info?id=173&affid=6769

O4 - HKCU\..\Run: [hpzcon04886g.exe] "C:\WINDOWS\System32\hpzcon04886g.exe"

 

Also, please put a check next to the entry marked "O20 - AppInit_DLLs" at the very bottom of the log. It currently looks like this:

 

O20 - AppInit_DLLs: C:\WINDOWS\system32\KBDFI336s.dll

 

However, it seems to keep changing its name, so it will most likely have a different file name by the time you are following these instructions. However, please write down whatever file name the entry uses before you check it, because you will need it again afterwards. Regardless of the precise file name the entry contains, please check it.

 

Then please close all open windows and then click "Fix Checked".

 

Now please run TheKillbox from the desktop. In the "Full path of file to delete" field, insert the full path and name of the file from the O20 entry you just removed. So for the example above, you would type C:\WINDOWS\system32\KDBFI336s.dll, but I emphasize that it is very likely that the name will have changed by the time you follow these instructions. Check "Delete on reboot" and then click the red button with the white cross to start the delete. Follow the prompts and restart your computer when requested.

 

After your computer has rebooted, please delete:

C:\WINDOWS\System32\hpzcon04886g.exe

 

Then please reboot your computer once more and then post a new HijackThis log. Hope we got it this time.... If not, I still have more tricks up my sleeve. :D

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 6:35:57 PM, on 10/17/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HiJack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {02FF5D35-C95C-4A11-8E56-A364BC480FAF} - (no file) (HKCU)

O9 - Extra button: (no name) - {0FFF69D7-BCC5-4381-905A-D5AC0C10131A} - (no file) (HKCU)

O9 - Extra button: (no name) - {1DC94F46-59F9-4062-B4E7-27151AA09F00} - (no file) (HKCU)

O9 - Extra button: (no name) - {376DF6A6-7968-47F7-AB1C-D00340366FCD} - (no file) (HKCU)

O9 - Extra button: (no name) - {384B254C-19CA-4EF3-8AEE-CF3577D82A55} - (no file) (HKCU)

O9 - Extra button: (no name) - {48069FA9-2959-4A5A-BCDC-0C6380CFF9BB} - (no file) (HKCU)

O9 - Extra button: (no name) - {4D4A0652-3FBC-4953-8EF4-83BF0C71716F} - (no file) (HKCU)

O9 - Extra button: (no name) - {65652D35-A771-4419-A5FB-8837938E3B7E} - (no file) (HKCU)

O9 - Extra button: (no name) - {6B8FA33B-C793-4705-B805-3D03B2EC17F1} - (no file) (HKCU)

O9 - Extra button: (no name) - {6DA4D93E-E006-4C40-B2B6-FDB39F68CA30} - (no file) (HKCU)

O9 - Extra button: (no name) - {758924A5-2960-48A9-9EB6-446F16FBF134} - (no file) (HKCU)

O9 - Extra button: (no name) - {8538AAC7-9E5D-4F91-990A-8B710D69DB31} - (no file) (HKCU)

O9 - Extra button: (no name) - {85683895-FC21-46FF-8130-BE2667130413} - (no file) (HKCU)

O9 - Extra button: (no name) - {89E65533-354F-4C89-A03F-86263C99654A} - (no file) (HKCU)

O9 - Extra button: (no name) - {916832BD-DD85-45C8-BABD-E7F743FBDC6A} - (no file) (HKCU)

O9 - Extra button: (no name) - {9231F2A4-9519-4A24-BB73-56D344C309E4} - (no file) (HKCU)

O9 - Extra button: (no name) - {98852F05-ED5F-4375-BC34-961BCD8A8419} - (no file) (HKCU)

O9 - Extra button: (no name) - {A8DAC690-E121-43BD-8E0C-E64A3BFB613D} - (no file) (HKCU)

O9 - Extra button: (no name) - {AA511718-8BEF-4FF7-B8B4-98C831163717} - (no file) (HKCU)

O9 - Extra button: (no name) - {ADC760B8-9D3C-45C5-AFDC-58A8099169D8} - (no file) (HKCU)

O9 - Extra button: (no name) - {B4A763AE-DF16-4CF2-A7AD-13DF4D72F15D} - (no file) (HKCU)

O9 - Extra button: (no name) - {B9E8D850-9832-4B10-833E-0269EC04026A} - (no file) (HKCU)

O9 - Extra button: (no name) - {BED3B1ED-1A33-404A-BE06-9FD78E7CBE31} - (no file) (HKCU)

O9 - Extra button: (no name) - {C3D7880D-A81D-4D98-A207-75174176FC18} - (no file) (HKCU)

O9 - Extra button: (no name) - {CAE80948-ECB7-4AA4-BDEC-D069086066CA} - (no file) (HKCU)

O9 - Extra button: (no name) - {CD66F402-2A4C-43D9-9282-F8AEC505C672} - (no file) (HKCU)

O9 - Extra button: (no name) - {D646DD0C-D385-4905-935A-58A7A688115A} - (no file) (HKCU)

O9 - Extra button: (no name) - {E342E480-8F27-4DCD-82A0-EFD50F0BC69E} - (no file) (HKCU)

O9 - Extra button: (no name) - {EB23BED4-EB6F-4520-AE02-E89B6DF6ED53} - (no file) (HKCU)

O9 - Extra button: (no name) - {EFAAD7EB-A9FC-49DF-8D1B-93E62BA11627} - (no file) (HKCU)

O9 - Extra button: (no name) - {F8B413A3-EE49-47C5-9C39-BBA6484C1A18} - (no file) (HKCU)

O9 - Extra button: (no name) - {FA1A03D0-3BFA-4C70-AC5F-B1F961DA13DC} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab

Share this post


Link to post
Share on other sites

Things look good right now. I just turned on my pc and the problem appears to be gone.

 

Thank you for your help on this matter. Have a great day.

Share this post


Link to post
Share on other sites

Dear jpf232,

 

Glad to hear it is gone! :D

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :p

 

 

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is.

 

2) In order to protect yourself against spyware, you should consider installing and running the following programs:

 

Ad-Aware

http://www.lavasoftusa.com/software/adaware

Spybot-Search & Destroy

http://www.safer-networking.org/en/download

SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard

http://www.javacoolsoftware.com/spywareguard.html

 

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

 

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:

http://ftp.mozilla.org/pub/mozilla.org/fir...tup%201.0PR.exe

 

4) Also make sure to run your anti-virus software regularly, and to keep it up-to-date.

 

5) Finally, consider maintaining a firewall. A good free firewall is ZoneAlarm, available at http://www.zonelabs.com/store/content/comp...reeDownload.jsp.

 

You may also want to read Tony Klein's article on "How I got Infected in the First Place":

http://forums.net-integration.net/index.php?showtopic=3051

 

Hopefully this should take care of your problems! Good luck. :D

Share this post


Link to post
Share on other sites

Glad to see you were able to resolve your problem.

 

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0