• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
larnold24

HiJack This

45 posts in this topic

I just downloaded Hijackthis...and I am really scared to delete anything right now...could you take a look at it and tell me what is safe to delete? Thank you very much.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:14:25 AM, on 6/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\wjview.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\WINDOWS\system32\ntbs32.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://snaup.dll/index.html#1886930219

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://snaup.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://snaup.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D7C43CFF-343D-063E-1C14-C8A0FEB6F6A4} - C:\WINDOWS\system32\d3fu32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O4 - HKLM\..\Run: [65FE0B77] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\nflsfzay.exe

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKLM\..\RunServices: [D5853726] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKCU\..\Run: [li-tevid00150] c:\program files\Webdialer\li-tevid00150[1].exe -m

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Edited by larnold24

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Since you have at least 1 virus/trojan in here, please go here and run a free online virus scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

 

Let us know what it finds.

 

Configure your computer to show hidden files.

 

Then reboot your computer in safe mode.

 

Next, run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

 

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O4 - HKLM\..\Run: [65FE0B77] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\nflsfzay.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\RunServices: [D5853726] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKCU\..\Run: [li-tevid00150] c:\program files\Webdialer\li-tevid00150[1].exe -m

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

 

Then go to the C:\Windows folder and look for sdkqh32.dll. If you find it, please copy it to the C:\Documents and Settings\Owner\My Documents\larnold24\receive folder.

 

Then go to the C:\WINDOWS\system32 folder and look for ntbs32.exe. If you find it, copy it to the same receive folder.

 

Then run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

 

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

 

Reboot your computer. Please zip those files in your receive folder and e-mail it to me at this address.

 

Since you have the newer variant of coolwebsearch, I'd like to have a look at a couple of logs.

 

Create a folder on your desktop called PV. Then download this zip.

http://tools.zerosrealm.com/pv.zip

 

Please unzip it to that PV folder on your desktop. It will not work if you run it from inside the zip.

 

After unzipped, open the pv folder, make sure there is an Internet Explorer window open and double click on runme.bat.

 

A dos window will open. Please select option 2 for Internet Explorer dll's by typing 2 and then pressing enter.

 

Notepad will open with a log in it. Please copy and paste the log into this post.

 

Next, Go here and download this self extracting file:

http://tools.zerosrealm.com/dllfix.exe

 

Save it to your desktop, double click dllfix.exe and follow the prompts.

 

Go to the newly created dllfix folder on your desktop and double click start.bat and choose option #1. This will scan your computer for the 'bad' file. Notepad will open with a report in it. Copy the contents of the report back into this thread along with the pv.zip log and an updated hijackthis log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 4:24:16 PM, on 6/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\wjview.exe

C:\WINDOWS\System32\RUNDLL32.exe

C:\WINDOWS\system32\ntbs32.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

C:\Program Files\Common Files\Real\Update_OB\rndal.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://snaup.dll/index.html#1886930219

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://snaup.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://snaup.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\snaup.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D7C43CFF-343D-063E-1C14-C8A0FEB6F6A4} - C:\WINDOWS\system32\d3fu32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O4 - HKLM\..\Run: [65FE0B77] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\nflsfzay.exe

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKLM\..\RunServices: [D5853726] C:\WINDOWS\System32\wzroxmbwmvhha.exe

O4 - HKCU\..\Run: [li-tevid00150] c:\program files\Webdialer\li-tevid00150[1].exe -m

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\sdkqh32.dll,Install

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Share this post


Link to post
Share on other sites

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer

ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL

GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL

LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library

SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library

ole32.dll 771b0000 1114112 C:\WINDOWS\system32\ole32.dll 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.119 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI

CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent

SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API

AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module

SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

NavShExt.dll f10000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module

ccTrust.dll f30000 106496 C:\WINDOWS\System32\ccTrust.dll 1.08.01 Common Client ccTrust

MSVCP60.dll 76080000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library

ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

d3fu32.dll f90000 266240 C:\WINDOWS\system32\d3fu32.dll

urlmon.dll 1a400000 495616 C:\WINDOWS\System32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

shdoclc.dll 12b0000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer

MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

NETAPI32.dll 71c20000 323584 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL

TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL

msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer

msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL

MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

scrauth.dll 1970000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator

ScrBlock.dll 1aa0000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking

wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper

rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider

userenv.dll 52880000 667648 C:\WINDOWS\system32\userenv.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv

cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL

jscript.dll 75c50000 593920 c:\windows\system32\jscript.dll 5.6.0.6626 Microsoft ® JScript

wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL

iphlpapi.dll 76d60000 86016 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API

netman.dll 76de0000 155648 C:\WINDOWS\System32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager

MPRAPI.dll 76d40000 90112 C:\WINDOWS\System32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL

ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL

adsldpc.dll 76e10000 147456 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL

SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL

WZCSvc.DLL 76da0000 196608 C:\WINDOWS\System32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service

WMI.dll 76d30000 16384 C:\WINDOWS\System32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality

DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\System32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service

WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs

WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component

imgutil.dll 66880000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2600.0000 (xpclient.010817-1148) IE plugin image decoder support DLL

ACTXPRXY.DLL 71d40000 110592 C:\WINDOWS\System32\ACTXPRXY.DLL 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

pngfilt.dll 1b060000 45056 C:\WINDOWS\System32\pngfilt.dll 6.00.2722.900 IE PNG plugin image decoder

msjava.dll 7c000000 958464 C:\WINDOWS\System32\msjava.dll 5.00.3802 Microsoft® VM

VMHELPER.DLL 7c520000 294912 C:\WINDOWS\System32\VMHELPER.DLL 5.00.3802 Microsoft® VM Helper Library

JIT.DLL 7c400000 180224 C:\WINDOWS\System32\JIT.DLL 5.00.3802 Microsoft® Just-in-Time Compiler for Java

javart.dll 7c300000 417792 C:\WINDOWS\System32\javart.dll 5.00.3802 Microsoft® Runtime Library for Java

msawt.dll 7c380000 167936 C:\WINDOWS\System32\msawt.dll 5.00.3802 Microsoft AWT Library for Java

javacypt.dll 7c480000 192512 C:\WINDOWS\System32\javacypt.dll 5.00.3802 MS Crypt Dll for Java

SOFTPUB.DLL 732d0000 20480 C:\WINDOWS\System32\SOFTPUB.DLL 5.131.2600.0 (xpclient.010817-1148) Softpub Forwarder DLL

riched32.dll 732e0000 20480 C:\WINDOWS\System32\riched32.dll 5.1.2600.0 (xpclient.010817-1148) Wrapper Dll for Richedit 1.0

RICHED20.dll 74e30000 438272 C:\WINDOWS\System32\RICHED20.dll 5.30.23.1210 Rich Text Edit Control, v3.0

CABINET.DLL 75150000 77824 C:\WINDOWS\System32\CABINET.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft® Cabinet File API

MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL

drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider

ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager

NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes

NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes

NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL

davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL

MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL

ODBC32.dll 2120000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9002.0 Microsoft Data Access - ODBC Driver Manager

comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL

odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources

sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.0 (XPClient.010817-1148) Still Image Devices client DLL

CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL

plugin.ocx 72b20000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2600.0000 (xpclient.010817-1148) ActiveX Plugin OCX

ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing

LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking

Share this post


Link to post
Share on other sites

Hi larnold24,

 

It looks like you have the newest CoolWebSearch (CWS) variant. The dllfix was pulled by the author for various reasons, which is why you couldn't get to it. The method we are about to try works sometimes, and other times it doesn't. At the time of this post, there is no sure-fire cure-all for the newest variant of CWS. So for now, we'll try the old way.

 

Please download TheKillbox from here: http://download.broadbandmedic.com/VbStuff/KillBox.zip

 

Create another folder on your desktop called Kill. Unzip the files in KillBox.zip to the Kill folder, then double-click on Killbox.exe to run it. In the Paste Full Path of File to Delete box, copy and paste the following:

 

C:\WINDOWS\system32\d3fu32.dll

 

Don't click any of the buttons though, instead please click on the Action menu and choose Delete on Reboot. On the next screen, click on the File menu and choose Add File. The filename and path should show up in the window. If that's successful, choose the Action menu and select Process and Reboot. You'll be prompted to reboot, do so.

 

When you're back in windows, please download the latest version of CWShredder. Then, make sure ALL windows are closed and run CWShredder.exe and click Fix (not scan).

 

Next, run the runme.bat file again and select option #2 again (making sure an Internet explorer window is open and/or minimized). Post the contents of that log, along with an updated hijackthis log.

Share this post


Link to post
Share on other sites

Module information for 'iexplore.exe'

MODULE BASE SIZE PATH

iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer

ntdll.dll 77f50000 679936 C:\WINDOWS\System32\ntdll.dll 5.1.2600.114 (xpclnt_qfe.021108-2107) NT Layer DLL

kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL

msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL

USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL

GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL

ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API

RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime

SHLWAPI.dll 63180000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2730.1200 Shell Light-weight Utility Library

SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2737.800 Shell Doc Object and Control Library

IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL

LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack

USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor

comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library

SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll

comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library

ole32.dll 771b0000 1114112 C:\WINDOWS\system32\ole32.dll 5.1.2600.115 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows

uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library

BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library

browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library

appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library

CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42

OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42

VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries

WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32

CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32

MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.119 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs

Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface

SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API

AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module

SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5

msrl32.dll f10000 266240 C:\WINDOWS\system32\msrl32.dll

ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)

NavShExt.dll 10c0000 114688 C:\Program Files\Norton AntiVirus\NavShExt.dll 9.05.15 Norton AntiVirusNAVShellExt Module

ccTrust.dll 10e0000 106496 C:\WINDOWS\System32\ccTrust.dll 1.08.01 Common Client ccTrust

MSVCP60.dll 76080000 397312 C:\WINDOWS\System32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library

urlmon.dll 1a400000 495616 C:\WINDOWS\System32\urlmon.dll 6.00.2736.2300 OLE32 Extensions for Win32

shdoclc.dll 11a0000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library

mshtml.dll 63580000 2777088 C:\WINDOWS\System32\mshtml.dll 6.00.2737.800 Microsoft ® HTML Viewer

MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL

RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API

rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager

WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL

WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT

NETAPI32.dll 71c20000 323584 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL

TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows Telephony API Client DLL

rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities

WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL

serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver

umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module

USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv

msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer

wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL

MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file

scrauth.dll 1950000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator

ScrBlock.dll 1a80000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking

wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs

IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper

rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider

mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider

DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL

cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API

WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL

jscript.dll 75c50000 593920 c:\windows\system32\jscript.dll 5.6.0.6626 Microsoft ® JScript

winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL

wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL

rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper

wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper

msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper

MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter

midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper

mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft ® HTML Editing Component

imgutil.dll 66880000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2600.0000 (xpclient.010817-1148) IE plugin image decoder support DLL

ACTXPRXY.DLL 71d40000 110592 C:\WINDOWS\System32\ACTXPRXY.DLL 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

pngfilt.dll 1b060000 45056 C:\WINDOWS\System32\pngfilt.dll 6.00.2722.900 IE PNG plugin image decoder

msjava.dll 7c000000 958464 C:\WINDOWS\System32\msjava.dll 5.00.3802 Microsoft® VM

VMHELPER.DLL 7c520000 294912 C:\WINDOWS\System32\VMHELPER.DLL 5.00.3802 Microsoft® VM Helper Library

JIT.DLL 7c400000 180224 C:\WINDOWS\System32\JIT.DLL 5.00.3802 Microsoft® Just-in-Time Compiler for Java

javart.dll 7c300000 417792 C:\WINDOWS\System32\javart.dll 5.00.3802 Microsoft® Runtime Library for Java

msawt.dll 7c380000 167936 C:\WINDOWS\System32\msawt.dll 5.00.3802 Microsoft AWT Library for Java

javacypt.dll 7c480000 192512 C:\WINDOWS\System32\javacypt.dll 5.00.3802 MS Crypt Dll for Java

SOFTPUB.DLL 732d0000 20480 C:\WINDOWS\System32\SOFTPUB.DLL 5.131.2600.0 (xpclient.010817-1148) Softpub Forwarder DLL

riched32.dll 732e0000 20480 C:\WINDOWS\System32\riched32.dll 5.1.2600.0 (xpclient.010817-1148) Wrapper Dll for Richedit 1.0

RICHED20.dll 74e30000 438272 C:\WINDOWS\System32\RICHED20.dll 5.30.23.1210 Rich Text Edit Control, v3.0

CABINET.DLL 75150000 77824 C:\WINDOWS\System32\CABINET.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft® Cabinet File API

inetcpl.cpl 58a20000 323584 C:\WINDOWS\System32\inetcpl.cpl 6.00.2600.0000 (xpclient.010817-1148) Internet Control Panel

inetcplc.dll 667d0000 118784 C:\WINDOWS\System32\inetcplc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Control Panel

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:46:58 AM, on 6/21/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ntbs32.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Documents and Settings\Owner\Desktop\Kill\KillBox\CWShredder.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcdfg.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rcdfg.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Share this post


Link to post
Share on other sites

osc,

 

i rebooted ran a new scan on hjt..........the files i fixed were back.......here is the new log

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:24:11 AM, on 6/21/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ntbs32.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcdfg.dll/index.html#1886930219

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcdfg.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rcdfg.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcdfg.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Share this post


Link to post
Share on other sites

Hi larnold24,

 

***Please do not reboot until it is requested. Rebooting during this process will cause reinfection!***

 

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

 

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

 

Next, hold down the Ctrl+Shift keys on your keyboard and tap the Esc key. This will open task manager. End each of the following processes by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

 

ntbs32.exe

apikf.exe

 

Download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

 

Run AboutBuster.exe and click ok and then start. Paste this exact line into the text box in About:Buster:

 

res://rcdfg.dll/index.html#1886930219

 

Next click Ok and allow the program to run. After it runs copy its report and paste it back into this thread.

 

Next, go to c:\documents and Settings\{username}\local settings\Temp and delete all files in that temp folder.

 

Reboot and post a new HijackThis log along with the report from About:Buster if there were any errors in it.

 

Install all of Microsoft's critical updates. This will help protect you from some of this stuff in the future:

http://windowsupdate.microsoft.com

Share this post


Link to post
Share on other sites

Ok Osc,

 

here is the aboutbuster log

 

.dll File not found, Continuing fix

Removed! : C:\WINDOWS\crgr32.exe

Removed! : C:\WINDOWS\d3yd.exe

Removed! : C:\WINDOWS\ipwl32.exe

Removed! : C:\WINDOWS\winzj32.exe

Removed! : C:\WINDOWS\rcdfg.dll

Removed! : C:\WINDOWS\snaup.dll

Removed! : C:\WINDOWS\rcdfg.dat

Removed! : C:\WINDOWS\tbbntf.dat

Removed! : C:\WINDOWS\wqffs.dat

Pages Reset... Done!

 

here is the new hijack this scan log

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:34:46 PM, on 6/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ntbs32.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lpwbl.dll/index.html#1886930219

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lpwbl.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lpwbl.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

 

Thank you

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Let's run through that again. But before we do, have you rebooted since you posted this log??? If you have, please post an updated log and do not reboot until I post, if possible.

Edited by OSC

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:43:43 AM, on 6/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apikf.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\ntbs32.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lpwbl.dll/index.html#1886930219

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lpwbl.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lpwbl.dll/index.html#1886930219

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lpwbl.dll/sp.html#1886930219

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ntbs32.exe] C:\WINDOWS\system32\ntbs32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Let's try shutting the service down first, then fixing it.

 

Go to Start > Run. Type in services.msc. Click OK. Scroll down to Network Security Service. Right click it and choose Properties. Choose Stop, then choose Disabled from the drop down menu. Close that window.

 

A new version of About:Buster is available. Please download it from one of these sites:

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Unzip it, run it and paste this line into about:buster:

 

res://lpwbl.dll/index.html#1886930219

 

Close ALL Internet Explorer windows. This is a very important step!! Next click Ok and allow the program to run. After it runs copy its report and paste it back into this thread.

 

Reboot and post a new HijackThis log along with the report from About:Buster if there were any errors in it.

Share this post


Link to post
Share on other sites

.dll File not found, Continuing fix

Removed! : C:\WINDOWS\System32\lpwbl.dat

Removed! : C:\WINDOWS\System32\sjwsi.dat

Removed! : C:\WINDOWS\awrzik.dat

Removed! : C:\WINDOWS\tbbntf.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:38:41 AM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi larnold24,

 

When you have a chance, please join us in the chat room again. I have some questions for you. :D Thanks.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 9:56:20 AM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 208.139.139.5 208.139.139.4

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Configure your computer to show hidden files.

 

Then reboot your computer in safe mode.

 

Find these files:

C:\WINDOWS\hmtmc.dll

C:\WINDOWS\system32\msrl32.dll

 

Copy them to a folder on your computer. Reboot.

 

Please zip those .dll files you copied to a folder and e-mail them to me at this address.

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Thanks for those files. Just want to get the md5's of those files to see if about:buster targets them. Give me a little time and I'll post back. If they are covered, we'll try about:buster in safe mode. If not, we'll try again with the next version that comes out.

 

gbasham, I see your post and will respond to it.

Share this post


Link to post
Share on other sites

Were you able to send those files along to the new address??

 

Please post a new hijackthis since it's been awhile since we saw one. :) Thanks.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 9:35:45 AM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apiem32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\netjc32.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hmtmc.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hmtmc.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [netjc32.exe] C:\WINDOWS\system32\netjc32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/227

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 209.209.180.38 209.209.180.2

 

I sent those zip files to the last address. Did you not receive them?

 

Latreese

Share this post


Link to post
Share on other sites

Hi larnold24,

 

I did receive the e-mail but it looks like you sent the search results, instead of the files.

 

Boot back into safe mode again.

 

Go to this folder:

C:\WINDOWS\system32

 

and find these files:

netjc32.exe

apiem32.exe

 

Copy the files to a folder on your computer. Reboot your computer.

 

Select both files and right click them. Choose Zip to e-mail xxxx.zip. That should launch your email program. Fill in the email address you used before and send it off.

 

You have some files in there that are not covered with the current version of about:buster, which is why we need those files. As soon as we get a copy of those files, I'll provide you with an updated version of buster that will get ya cleaned.

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Thanks again for those files. Please download the latest version of about:buster from here:

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Unzip it and save aboutbuster.exe to your desktop. Boot your computer in safe mode and run aboutbuster.exe. Run it a few times until you get results that look something like this:

 

-- Scan X --------

About:Buster Version 1.26

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

Once you get about:buster results that look like the above, reboot your computer, post an updated hijackthis log and about:buster log back here.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 9:49:36 PM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

-- Scan 1 --------

About:Buster Version 1.26

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Looks like that approach worked. How's your home page situation?? One more item to clean though.

 

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

 

O2 - BHO: (no name) - {8BE2C1A5-A5C1-8202-74CD-C68F8F4E10B0} - C:\WINDOWS\system32\msrl32.dll

 

Let us know how things are looking. :)

Share this post


Link to post
Share on other sites

guess it didnt work osc...........still gettin res:\\cquld.dll/index.html#37049 as my home page and lots of popups still poppin up

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 12:56:44 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\winos.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\d3yw32.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqvld.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cqvld.dll/index.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cqvld.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqvld.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cqvld.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cqvld.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {3C8F8ED0-7873-97D9-7C38-50E4064ACB99} - C:\WINDOWS\mfcyl32.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [d3yw32.exe] C:\WINDOWS\d3yw32.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/227

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 209.209.180.38 209.209.180.2

Share this post


Link to post
Share on other sites

Hi larnold24,

 

I may have already asked you this, but do you have more than one login account on this computer?

 

Let's try removing this thing manually.

 

Press and hold the Ctrl + Shift keys on your keyboard, then tap the Esc key. This will open Task Manager. Click the Processes tab and then double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for d3yw32.exe and winos.exe. If you find the files, click on them, and then click End Process. Click Yes to the confirmation message. Exit the Task Manager.

 

Next, click Start->Run and type Services.msc then hit OK. Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

 

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqvld.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cqvld.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cqvld.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqvld.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cqvld.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cqvld.dll/sp.html#37049

O2 - BHO: (no name) - {3C8F8ED0-7873-97D9-7C38-50E4064ACB99} - C:\WINDOWS\mfcyl32.dll

O4 - HKLM\..\Run: [d3yw32.exe] C:\WINDOWS\d3yw32.exe

 

Reboot into Safe Mode and delete the following files:

C:\WINDOWS\cqvld.dll

C:\WINDOWS\mfcyl32.dll

C:\WINDOWS\d3yw32.exe

C:\WINDOWS\winos.exe

 

Reboot in Normal Mode. Copy the contents of the quote box below and past eit into a notepad document. Name it cwsuninst.reg

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Double click cwsuninst.reg and confirm you want to merge it with the registry. Finally, run HijackThis again and post a new log back into this thread.

Share this post


Link to post
Share on other sites

osc

 

first...........i couldnt find two of the four files...they are ...c:\windows\cqvld.dll

c:\windows\mfcyl32.dll

 

 

second......when i tried too double click on cwsuninst.reg.....i get a message

cannot import the specified file is not a registry script....you can only import binary registry files from within the registry editor.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 8:48:40 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/227

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 209.209.180.38 209.209.180.2

Share this post


Link to post
Share on other sites

Hi larnold24,

 

Since that last .reg file didn't work, let's try this one. Copy the contents of the quote box below and paste it into a notepad document. Name it cwsuninst.reg. Replace the old one if prompted.

Windows Registry Editor Version 5.00

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Don't worry about those other 2 files for now. Once you get this .reg file to work, post a new hijackthis log. Also, run about:buster again and post that log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 9:26:23 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/227

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 209.209.180.38 209.209.180.2

Share this post


Link to post
Share on other sites

-- Scan 1 --------

About:Buster Version 1.26

Removed! : C:\WINDOWS\auxmg.dat

Removed! : C:\WINDOWS\cqvld.dll

Removed! : C:\WINDOWS\gpstio.dat

Removed! : C:\WINDOWS\mfcyl32.dll

Removed! : C:\WINDOWS\System32\jzdhg.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Share this post


Link to post
Share on other sites

-- Scan 2 --------

About:Buster Version 1.26

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:01:31 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\S3tray2.exe

C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe

C:\windows\system\hpsysdrv.exe

C:\PROGRA~1\HPONE-~1\OneTouch.EXE

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\ISP.COM High Speed\web_accel.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ISP.COM Internet Services\dialer.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Documents and Settings\Owner\My Documents\larnold24\receive\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [uSSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: ISP.COM High Speed.lnk = C:\Program Files\ISP.COM High Speed\web_accel.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/250

O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ISP.COM High Speed\web_accel.exe/227

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\isp~2.com\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} - http://isupport4.hp.com/awebui/jsp/answerw...DiagManager.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8028.8362615741

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBBC78C-D76C-49E7-8C74-8975779223E4}: NameServer = 209.209.180.38 209.209.180.2

Share this post


Link to post
Share on other sites

so far so good today....is working fine.............i created a system restore point today. I hope you realize how very much I appreciate all the time and effort you put into solving my problem. I know it was a pain in the butt. Thank You so very much!!!

Share this post


Link to post
Share on other sites

Hi larnold24,

 

That's great news! Here some light reading for spyware prevention.

 

Protection - download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Both are very small free programs that you run once, and then just occasionally to check for updates.

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0