• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mr_saging

smitfraud, uploader, and/or other infections

11 posts in this topic

Got infected yesterday using newest version of Firefox. Thought I could solve the issue by uninstall/reinstall Mozilla so uninstalled, but before I reinstalled it, I started to get affected using IE also. Ran Spybot which removed multiple infections, rebooted and still infected. Have not reinstalled Firefox yet. Want to get computer diagnosed and cleaned first. Request assistance. Thanks in advance!

 

Logfile of HijackThis v1.99.1

Scan saved at 11:08:44 AM, on 4/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe

C:\WINNT\system32\SK9910DM.EXE

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINNT\system32\RunDLL32.exe

C:\WINNT\system32\devldr32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\explorer.exe

C:\My Downloads\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"

O4 - HKLM\..\Run: [runner1] C:\WINNT\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab

O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://68.15.177.210/plugin/h263ctrl.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINNT\C:\WINNT\System32\svchost.exe (file missing)

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Share this post


Link to post
Share on other sites

Downloaded and ran AVG Anti-Spyware 7.5 - found a dialer and other undesired malware and downloader agents. After removing these items, computer is still infected. Browser gets hijacked, other IE windows open up without warning, when I try to close IE it sometimes remains open in task manager. Here is the AVG report and a follow-up of HJT log just run a few minutes ago. Please advise on how to clean up this mess.

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 12:57:50 PM 4/21/2007

 

+ Scan result:

 

 

 

HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned with backup (quarantined).

HKLM\SOFTWARE\MaxSpeed -> Adware.Maxspeed : Cleaned with backup (quarantined).

C:\WINNT\Downloaded Program Files\MediaTicketsInstaller.INF -> Adware.MediaTickets : Cleaned with backup (quarantined).

C:\WINNT\system32\awtromn.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\WINNT\system32\awtstus.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\WINNT\system32\khfddbx.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\WINNT\system32\khfefgh.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\My Downloads\hijackthis\backup-20040208-154426-967.dll -> Dialer.Cutygirls.f : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\Local Settings\Temp\ClientApp1065.exe -> Downloader.Agent.ac : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\Local Settings\Temp\wr-1-2000219.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1840\A0139598.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\Local Settings\Temp\xloadnet.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1840\A0139552.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-3eedd12d-28dcfa32.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba449-65819522.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba449-65819522.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba449-77fa9eaf.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\java.jar-8fba449-77fa9eaf.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jrl.jar-46a38335-383f0894.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jrl.jar-46a38335-383f0894.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jrl.jar-4b6b77e2-70fae29f.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\jrl.jar-4b6b77e2-70fae29f.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv237.jar-2d8175f5-6eb918fb.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv505.jar-39513504-26441ee7.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv659.jar-4a133c1-679d6ab7.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\loaderadv659.jar-4a133c1-7fa4b333.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\menu.jr-1a69aa3d-2f7aab37.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).

C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@skype[2].txt -> TrackingCookie.Skype : Cleaned.

C:\Documents and Settings\Owner\Cookies\owner@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.

 

 

::Report end

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:53:22 PM, on 4/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe

C:\WINNT\system32\SK9910DM.EXE

C:\WINNT\system32\devldr32.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINNT\system32\RunDLL32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\My Downloads\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"

O4 - HKLM\..\Run: [runner1] C:\WINNT\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: *.sxload.net (HKLM)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab

O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://68.15.177.210/plugin/h263ctrl.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINNT\C:\WINNT\System32\svchost.exe (file missing)

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Share this post


Link to post
Share on other sites

Ran both tests. Browser still gets hijacked, popups, IE does not shut down properly and remains in Task Manager. Requested log files below...

 

"Owner" - 07-04-24 7:39:31 Service Pack 2

ComboFix 07-04-24.2V - Running from: "C:\Documents and Settings\Owner\Desktop\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))

 

 

2007-04-21 11:03 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys

2007-04-15 08:39 22,112 -ra------ C:\WINNT\system32\drivers\COH_Mon.sys

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-23 21:50 -------- d-------- C:\Program Files\microsoft money

2007-04-23 13:35 -------- d-------- C:\Program Files\Common Files\symantec shared

2007-03-31 13:06 -------- d-------- C:\Program Files\hp

2007-03-31 13:06 -------- d-------- C:\Program Files\hewlett-packard

2007-03-20 19:35 -------- d-------- C:\Program Files\skype

2007-03-18 09:42 -------- d-------- C:\Program Files\norton internet security

2007-03-17 06:43 292864 --a------ C:\WINNT\system32\winsrv.dll

2007-03-08 08:36 577536 --a------ C:\WINNT\system32\user32.dll

2007-03-08 08:36 40960 --a------ C:\WINNT\system32\mf3216.dll

2007-03-08 08:36 281600 --a------ C:\WINNT\system32\gdi32.dll

2007-03-08 06:47 1843584 --a------ C:\WINNT\system32\win32k.sys

2007-02-27 18:44 -------- d-------- C:\Program Files\microsoft money 2007

2007-02-05 13:17 185344 --a------ C:\WINNT\system32\upnphost.dll

2007-01-31 15:56 51716 --a------ C:\WINNT\system32\pdf995mon.dll

2007-01-31 15:56 118784 --a------ C:\WINNT\system32\pdfmona.dll

2007-01-25 09:29 48776 --a------ C:\WINNT\system32\s32evnt1.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\halmbton.dll [x]

{1E8A6170-7264-4D0F-BEAE-D42A53123C75} C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

{3C1540A6-0BFB-40AF-94BF-35A59AE6B037} C:\WINNT\system32\fpfsxgop.dll [x]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Pop-Up Stopper"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\dpps2.exe\""

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"

"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"

"IMJPMIG8.1"="\"C:\\WINNT\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"MSPY2002"="C:\\WINNT\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"

"PHIME2002ASync"="C:\\WINNT\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"PHIME2002A"="C:\\WINNT\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"

"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"

"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"

"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"

"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

"VF0060 STISvc"="RunDLL32.exe V0060Pin.dll,RunDLL32EP 513"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

"Microsoft Works Update Detection"="???\\WkDetect.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"backup"="C:\\WINNT\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"

"item"="Microsoft Office"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="deskup"

"hkey"="HKLM"

"command"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="GWMDMMSG"

"hkey"="HKLM"

"command"="GWMDMMSG.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WkDetect"

"hkey"="HKCU"

"command"="???\\WkDetect.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvCpl"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINNT\\System32\\NvCpl.dll,NvStartup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwiz"

"hkey"="HKLM"

"command"="nwiz.exe /install"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Updreg"

"hkey"="HKLM"

"command"="C:\\WINNT\\Updreg.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -u"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -u"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

 

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINNT\tasks\Norton Internet Security - Run Full System Scan - Owner.job

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-04-24 07:44:22

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

********************************************************************

 

Completion time: 07-04-24 7:44:37

C:\ComboFix-quarantined-files.txt ... 07-04-24 07:44

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:47:04 AM, on 4/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe

C:\WINNT\system32\SK9910DM.EXE

C:\WINNT\system32\devldr32.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINNT\system32\RunDLL32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\My Downloads\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\halmbton.dll (file missing)

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: (no name) - {3C1540A6-0BFB-40AF-94BF-35A59AE6B037} - C:\WINNT\system32\fpfsxgop.dll (file missing)

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab

O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/ac...nd/MSSurVid.cab

O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://68.15.177.210/plugin/h263ctrl.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINNT\C:\WINNT\System32\svchost.exe (file missing)

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Share this post


Link to post
Share on other sites

Let's deal with the rest now..

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\halmbton.dll (file missing)

O2 - BHO: (no name) - {3C1540A6-0BFB-40AF-94BF-35A59AE6B037} - C:\WINNT\system32\fpfsxgop.dll (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2639971314dd87151c18/...ip/RdxIE601.cab

O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://68.15.177.210/plugin/h263ctrl.cab

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

 

Since you installed XP on top of your Windows 2000, you have to understand that this may cause some issues. An example is... Your Windows security center is disabled because when you install XP on top of another OS, you confuse certain registry entries.

To fix this.. you have to edit this manually... So go to start > run and type: regedit

Hit enter. This will open your registry manager.

Now browse to next key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

 

On the right, you'll find: Imagepath

Doubleclick it and in the value data path, make sure next is pasted:

%SystemRoot%\System32\svchost.exe -k netsvcs

 

Then hit OK.

 

Let me know in your next reply how things are now

Share this post


Link to post
Share on other sites

Done. Hard to tell if everything's all right in only a few minutes.

 

I'm curious about your comment. I bought this computer new in February 2002 and I'm pretty sure it had XP pre-installed when I bought it. I guess I could be wrong about that.

 

Also, this problem originally occurred last week when I was using Firefox. It became so bad, that after an hour I uninstalled Firefox. Not sure why I did that because it obviously is not the problem. My Norton NIS 2007 monitors IE but not Firefox. I guess I should figure out how to get it to monitor both. Can I reinstall Firefox now?

 

Should I restart and add a System Restore point now? I guess I have more questions that I thought! Also, I don't like NIS and AVG running at the same time - hogs too many resources.

 

Suggestions for any of the above?

Share this post


Link to post
Share on other sites

If XP was pre-installed, then I wonder why it was not installed in a Windows-folder, but in a WINNT folder instead. Because WINNT belongs to Windows 2000 OS. Anyway, it's set up like this and you cannot change it now.

 

Yes, you can try to reinstall Firefox again.

 

NIS is known to hog too many resources anyway - that's one of the reasons why I don't recommend NIS.

 

Yes, you may create a new system restore point.

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Seems to be working fine now. Will start a new thread or reopen if something else comes up.

Thanks so much for your help and links for advice! It is appreciated!!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0