Author Topic: Tons of adware on this computer! (Read 2048 times)

holyknight · « **on:** March 10, 2005, 11:58:35 PM »

My friend was having problems with his computer and since he isn't a computer savvy user, he ended up with a lot of spyware. After the removal of several pieces of spyware and viruses, Nortan AntiVirus still shows several spyware components in which it cannot remove. Upon further investigation, HijackThis seemed to be my only hope, so I come here in hopes to see if someone would be able to help me in the removal of these dangerous pieces of spyware with a HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:55:02 PM, on 3/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sysml.exe
C:\WINDOWS\system32\mszt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wypkxicrjuvkuuzocjhx.net/l7vKhd...naq9IMSXYDC.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AF174026-CDFA-DA2F-7743-A872A5AA0D6C} - C:\WINDOWS\system32\mfcto32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [mszt.exe] C:\WINDOWS\system32\mszt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunOnce: [sysml.exe] C:\WINDOWS\system32\sysml.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [a3d] C:\WINDOWS\System32\a3d.exe
O4 - HKCU\..\Run: [jugsthe] C:\DOCUME~1\LASHAW~1\APPLIC~1\BROWSE~1\flaw loud.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\nttz.exe (file missing)

Any and all help is deeply appreciated, Thank you!

guestolo · « **Reply #1 on:** March 11, 2005, 12:30:28 AM »

Let's see what we can remove the first time around, ensure you follow all steps

Can you first open Microsoft's Anti-Spware Software and disable it's Realtime protection
It may get in the way of any fixes
Open MAS and click on Options>>Settings
Click Realtime Protection Icon on the top right
Inactivate all scanners

===Download to desktop About:Buster
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any download them
Then close it for now, well need this later

===Download and UNZIP to your desktop
Cwsserviceremove.zip
Ensure you unzip it so you will have cwsserviceremove.reg on your desktop now, we'll need this later

Can you save the rest of these instructions too a Notepad file on your Desktop

RESTART your Computer in SAFE MODE
you can do this by tapping the F8 key as the system is booting up

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Enter your Add/Remove Programs via Control Panel and Remove if found
ClockSync

===Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service <<Take a close look for this one

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

===Stay in safe mode and navigate to these files or folders and delete them if they exist
C:\WINDOWS\system32\mfcto32.dll <--file
C:\WINDOWS\system32\sysml.exe <--file
C:\WINDOWS\system32\mszt.exe <--file
C:\WINDOWS\system32\nttz.exe <--file

C:\Documents and Settings\LASHAW~1\Application Data\BROWSE~1 <--folder
I'm not sure of the Exact name but it will start with BROWSE
C:\Program Files\ClockSync <--folder

Open Hijackthis>>Open Misc tools section>>Click the "Delete an NT Service" button
Copy and Paste the next entry in bold to the blank box and hit OK

Network Security Service

Do the same for this service name

 6QÔõ'ª´ÆÐ8

===In safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wypkxicrjuvkuuzocjhx.net/l7vKhd...naq9IMSXYDC.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gtfal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AF174026-CDFA-DA2F-7743-A872A5AA0D6C} - C:\WINDOWS\system32\mfcto32.dll

O4 - HKLM\..\Run: [mszt.exe] C:\WINDOWS\system32\mszt.exe

O4 - HKLM\..\RunOnce: [sysml.exe] C:\WINDOWS\system32\sysml.exe

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [a3d] C:\WINDOWS\System32\a3d.exe
O4 - HKCU\..\Run: [jugsthe] C:\DOCUME~1\LASHAW~1\APPLIC~1\BROWSE~1\flaw loud.exe

O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\nttz.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to possibly scan more than twice until it finds no more files or Data streams

===Double click on cwsserviceremove.reg and allow it to merge to the registry

===RESTART back in Normal mode

=Look for shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

====# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

==Do another scan with hijackthis and post the log and back here
Also post back with the about:buster logs

Could you also open Hijackthis>>Open Misc Tools Section>>Open Hosts file manager
If no hosts found let it create one
Click the OPEN IN NOTEPAD button
Copy and paste back here the results of the open notepad

Do what you can from the above before posting back, thanks

EDIT>>Could you also let me know if you have Spybot 1.3 installed, if so the hijacker could of deleted a file for it, we will replace it if it's installed......

You are also going to have to decide what Anti-Virus to stick with
Having more than one running can cause severe Conflicts
and system slowdowns
Decide which one the user is happiest with and uninstall the others

holyknight · « **Reply #2 on:** March 11, 2005, 04:49:33 AM »

Thanks for the help. I have done everything you have said and already see better functionality from the computer. I have also uninstalled the other antivirus softwares except for Norton. Oh and nope, he doesn't have Spybot.

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:34:18 AM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\hiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [a3d] C:\WINDOWS\System32\a3d.exe
O4 - HKCU\..\Run: [jugsthe] C:\DOCUME~1\LASHAW~1\APPLIC~1\BROWSE~1\flaw loud.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hosts file manager log:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

AboutBuster Log file:

Scanned at: 2:28:55 AM on: 3/11/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\addkt.exe:sylyr
C:\WINDOWS\addsh32.dll:gjfcf
C:\WINDOWS\apics32.dll:mnsas
C:\WINDOWS\apijn.dll:dzrnd
C:\WINDOWS\apirg.dll:jtnrd
C:\WINDOWS\apite.dll:qheof
C:\WINDOWS\apiuc32.dll:ihxbz
C:\WINDOWS\appac.dll:peych
C:\WINDOWS\appaf32.dll:jcedd
C:\WINDOWS\apppd.dll:baepf
C:\WINDOWS\atlfh.dll:smdjn
C:\WINDOWS\atlli.dll:tffaq
C:\WINDOWS\atlmg32.dll:ehisn
C:\WINDOWS\atlpc32.dll:imsxx
C:\WINDOWS\atlwo32.dll:qdkka
C:\WINDOWS\atlze32.dll:fpzkr
C:\WINDOWS\bbchk.exe:uqgfy
C:\WINDOWS\CONTROL.INI:ednya
C:\WINDOWS\croh.dll:odyew
C:\WINDOWS\crxj32.dll:mraki
C:\WINDOWS\cryv.dll:nuhxd
C:\WINDOWS\d3lg.dll:okqiw
C:\WINDOWS\d3lq.dll:zwhip
C:\WINDOWS\d3zi.dll:jkgiz
C:\WINDOWS\DELL.BMP:atsid
C:\WINDOWS\enyqu.dat:nszbb
C:\WINDOWS\ieuninst.exe:vwwji
C:\WINDOWS\ippz32.dll:mvmdv
C:\WINDOWS\iprl.dll:nhdwp
C:\WINDOWS\iwdzx.dat:dxoch
C:\WINDOWS\javaoy.dll:xmecz
C:\WINDOWS\ktgrd.txt:zqxrv
C:\WINDOWS\mfcis32.dll:pzfnl
C:\WINDOWS\msdt.dll:pzivs
C:\WINDOWS\msfj32.dll:yupwo
C:\WINDOWS\msrv.dll:nredv
C:\WINDOWS\msua.dll:fahra
C:\WINDOWS\netpg.dll:bnvgn
C:\WINDOWS\netre.dll:wxmsc
C:\WINDOWS\netul.dll:aloat
C:\WINDOWS\netvf32.dll:seyfn
C:\WINDOWS\netvo.dll:pezrk
C:\WINDOWS\notepad.exe:kuppj
C:\WINDOWS\nqerb.dat:jsqmu
C:\WINDOWS\ntnz.dll:pdasw
C:\WINDOWS\nttr32.dll:jtmye
C:\WINDOWS\orvaa.dll:ycoov
C:\WINDOWS\Prairie Wind.bmp:egazb
C:\WINDOWS\pukgp.dat:prpwd
C:\WINDOWS\Q3332171.exe:qibcu
C:\WINDOWS\Q3590703.exe:ukddy
C:\WINDOWS\Q815021.log:xqptp
C:\WINDOWS\Q828026.log:vzvgg
C:\WINDOWS\qfdzb.log:qfwyg
C:\WINDOWS\rhvwpr.dat:aphbz
C:\WINDOWS\sdkam32.dll:rmmek
C:\WINDOWS\sdkms32.dll:kcxcn
C:\WINDOWS\setupapi.log.0.old:putka
C:\WINDOWS\SpyBlocs_IsFirstTime.txt:ijttk
C:\WINDOWS\sysau32.dll:vbqtn
C:\WINDOWS\sysmn32.dll:lglzl
C:\WINDOWS\syswy32.dll:andjn
C:\WINDOWS\UNWISE.EXE:jvayi
C:\WINDOWS\wineb32.dll:gohxr
C:\WINDOWS\winpk32.dll:wjnna
C:\WINDOWS\winqt32.dll:dlaie
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\zrufx.dat:kqynq

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\apidh.exe
Removed! : C:\WINDOWS\bvpnx.dat
Removed! : C:\WINDOWS\crmz.exe
Removed! : C:\WINDOWS\cxrnu.dat
Removed! : C:\WINDOWS\dlhrt.dat
Removed! : C:\WINDOWS\dvsdd.dat
Removed! : C:\WINDOWS\enyqu.dat
Removed! : C:\WINDOWS\eoxcw.dat
Removed! : C:\WINDOWS\exxwf.dat
Removed! : C:\WINDOWS\fqybg.dat
Removed! : C:\WINDOWS\ijuys.dat
Removed! : C:\WINDOWS\iwdzx.dat
Removed! : C:\WINDOWS\jzsig.dat
Removed! : C:\WINDOWS\mavzh.dat
Removed! : C:\WINDOWS\mevsv.dat
Removed! : C:\WINDOWS\mkpme.dat
Removed! : C:\WINDOWS\nqerb.dat
Removed! : C:\WINDOWS\psmru.dat
Removed! : C:\WINDOWS\pukgp.dat
Removed! : C:\WINDOWS\qshyj.dat
Removed! : C:\WINDOWS\sdkwp.exe
Removed! : C:\WINDOWS\tglwa.dat
Removed! : C:\WINDOWS\vtcad.dat
Removed! : C:\WINDOWS\wuchm.dat
Removed! : C:\WINDOWS\xlfzx.dat
Removed! : C:\WINDOWS\zrufx.dat
Removed! : C:\WINDOWS\System32\apiwc32.exe
Removed! : C:\WINDOWS\System32\avagv.dat
Removed! : C:\WINDOWS\System32\chslv.dat
Removed! : C:\WINDOWS\System32\d3cv32.exe
Removed! : C:\WINDOWS\System32\dygph.dat
Removed! : C:\WINDOWS\System32\ebyjs.dat
Removed! : C:\WINDOWS\System32\feebr.dat
Removed! : C:\WINDOWS\System32\jdmxt.dat
Removed! : C:\WINDOWS\System32\kfrjv.dat
Removed! : C:\WINDOWS\System32\kljho.dat
Removed! : C:\WINDOWS\System32\ldfkn.dat
Removed! : C:\WINDOWS\System32\lycrr.dat
Removed! : C:\WINDOWS\System32\mvztv.dat
Removed! : C:\WINDOWS\System32\oflxj.dat
Removed! : C:\WINDOWS\System32\pbylq.dat
Removed! : C:\WINDOWS\System32\qvdet.dat
Removed! : C:\WINDOWS\System32\sdksi.exe
Removed! : C:\WINDOWS\System32\tdpei.dat
Removed! : C:\WINDOWS\System32\trwkd.dat
Removed! : C:\WINDOWS\System32\winll.exe
Removed! : C:\WINDOWS\System32\wwhqo.dat
Removed! : C:\WINDOWS\System32\yiwsl.dat
Removed! : C:\WINDOWS\System32\zolao.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\addkt.exe:sylyr
C:\WINDOWS\addsh32.dll:gjfcf
C:\WINDOWS\apics32.dll:mnsas
C:\WINDOWS\apijn.dll:dzrnd
C:\WINDOWS\apirg.dll:jtnrd
C:\WINDOWS\apite.dll:qheof
C:\WINDOWS\apiuc32.dll:ihxbz
C:\WINDOWS\appac.dll:peych
C:\WINDOWS\appaf32.dll:jcedd
C:\WINDOWS\apppd.dll:baepf
C:\WINDOWS\atlfh.dll:smdjn
C:\WINDOWS\atlli.dll:tffaq
C:\WINDOWS\atlmg32.dll:ehisn
C:\WINDOWS\atlpc32.dll:imsxx
C:\WINDOWS\atlwo32.dll:qdkka
C:\WINDOWS\atlze32.dll:fpzkr
C:\WINDOWS\bbchk.exe:uqgfy
C:\WINDOWS\CONTROL.INI:ednya
C:\WINDOWS\croh.dll:odyew
C:\WINDOWS\crxj32.dll:mraki
C:\WINDOWS\cryv.dll:nuhxd
C:\WINDOWS\d3lg.dll:okqiw
C:\WINDOWS\d3lq.dll:zwhip
C:\WINDOWS\d3zi.dll:jkgiz
C:\WINDOWS\DELL.BMP:atsid
C:\WINDOWS\enyqu.dat:nszbb
C:\WINDOWS\ieuninst.exe:vwwji
C:\WINDOWS\ippz32.dll:mvmdv
C:\WINDOWS\iprl.dll:nhdwp
C:\WINDOWS\iwdzx.dat:dxoch
C:\WINDOWS\javaoy.dll:xmecz
C:\WINDOWS\ktgrd.txt:zqxrv
C:\WINDOWS\mfcis32.dll:pzfnl
C:\WINDOWS\msdt.dll:pzivs
C:\WINDOWS\msfj32.dll:yupwo
C:\WINDOWS\msrv.dll:nredv
C:\WINDOWS\msua.dll:fahra
C:\WINDOWS\netpg.dll:bnvgn
C:\WINDOWS\netre.dll:wxmsc
C:\WINDOWS\netul.dll:aloat
C:\WINDOWS\netvf32.dll:seyfn
C:\WINDOWS\netvo.dll:pezrk
C:\WINDOWS\notepad.exe:kuppj
C:\WINDOWS\nqerb.dat:jsqmu
C:\WINDOWS\ntnz.dll:pdasw
C:\WINDOWS\nttr32.dll:jtmye
C:\WINDOWS\orvaa.dll:ycoov
C:\WINDOWS\Prairie Wind.bmp:egazb
C:\WINDOWS\pukgp.dat:prpwd
C:\WINDOWS\Q3332171.exe:qibcu
C:\WINDOWS\Q3590703.exe:ukddy
C:\WINDOWS\Q815021.log:xqptp
C:\WINDOWS\Q828026.log:vzvgg
C:\WINDOWS\qfdzb.log:qfwyg
C:\WINDOWS\rhvwpr.dat:aphbz
C:\WINDOWS\sdkam32.dll:rmmek
C:\WINDOWS\sdkms32.dll:kcxcn
C:\WINDOWS\setupapi.log.0.old:putka
C:\WINDOWS\SpyBlocs_IsFirstTime.txt:ijttk
C:\WINDOWS\sysau32.dll:vbqtn
C:\WINDOWS\sysmn32.dll:lglzl
C:\WINDOWS\syswy32.dll:andjn
C:\WINDOWS\UNWISE.EXE:jvayi
C:\WINDOWS\wineb32.dll:gohxr
C:\WINDOWS\winpk32.dll:wjnna
C:\WINDOWS\winqt32.dll:dlaie
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\zrufx.dat:kqynq

Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 2:30:04 AM on: 3/11/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\addkt.exe:sylyr
C:\WINDOWS\addsh32.dll:gjfcf
C:\WINDOWS\apics32.dll:mnsas
C:\WINDOWS\apijn.dll:dzrnd
C:\WINDOWS\apirg.dll:jtnrd
C:\WINDOWS\apite.dll:qheof
C:\WINDOWS\apiuc32.dll:ihxbz
C:\WINDOWS\appac.dll:peych
C:\WINDOWS\appaf32.dll:jcedd
C:\WINDOWS\apppd.dll:baepf
C:\WINDOWS\atlfh.dll:smdjn
C:\WINDOWS\atlli.dll:tffaq
C:\WINDOWS\atlmg32.dll:ehisn
C:\WINDOWS\atlpc32.dll:imsxx
C:\WINDOWS\atlwo32.dll:qdkka
C:\WINDOWS\atlze32.dll:fpzkr
C:\WINDOWS\bbchk.exe:uqgfy
C:\WINDOWS\CONTROL.INI:ednya
C:\WINDOWS\croh.dll:odyew
C:\WINDOWS\crxj32.dll:mraki
C:\WINDOWS\cryv.dll:nuhxd
C:\WINDOWS\d3lg.dll:okqiw
C:\WINDOWS\d3lq.dll:zwhip
C:\WINDOWS\d3zi.dll:jkgiz
C:\WINDOWS\DELL.BMP:atsid
C:\WINDOWS\enyqu.dat:nszbb
C:\WINDOWS\ieuninst.exe:vwwji
C:\WINDOWS\ippz32.dll:mvmdv
C:\WINDOWS\iprl.dll:nhdwp
C:\WINDOWS\iwdzx.dat:dxoch
C:\WINDOWS\javaoy.dll:xmecz
C:\WINDOWS\ktgrd.txt:zqxrv
C:\WINDOWS\mfcis32.dll:pzfnl
C:\WINDOWS\msdt.dll:pzivs
C:\WINDOWS\msfj32.dll:yupwo
C:\WINDOWS\msrv.dll:nredv
C:\WINDOWS\msua.dll:fahra
C:\WINDOWS\netpg.dll:bnvgn
C:\WINDOWS\netre.dll:wxmsc
C:\WINDOWS\netul.dll:aloat
C:\WINDOWS\netvf32.dll:seyfn
C:\WINDOWS\netvo.dll:pezrk
C:\WINDOWS\notepad.exe:kuppj
C:\WINDOWS\nqerb.dat:jsqmu
C:\WINDOWS\ntnz.dll:pdasw
C:\WINDOWS\nttr32.dll:jtmye
C:\WINDOWS\orvaa.dll:ycoov
C:\WINDOWS\Prairie Wind.bmp:egazb
C:\WINDOWS\pukgp.dat:prpwd
C:\WINDOWS\Q3332171.exe:qibcu
C:\WINDOWS\Q3590703.exe:ukddy
C:\WINDOWS\Q815021.log:xqptp
C:\WINDOWS\Q828026.log:vzvgg
C:\WINDOWS\qfdzb.log:qfwyg
C:\WINDOWS\rhvwpr.dat:aphbz
C:\WINDOWS\sdkam32.dll:rmmek
C:\WINDOWS\sdkms32.dll:kcxcn
C:\WINDOWS\setupapi.log.0.old:putka
C:\WINDOWS\SpyBlocs_IsFirstTime.txt:ijttk
C:\WINDOWS\sysau32.dll:vbqtn
C:\WINDOWS\sysmn32.dll:lglzl
C:\WINDOWS\syswy32.dll:andjn
C:\WINDOWS\UNWISE.EXE:jvayi
C:\WINDOWS\wineb32.dll:gohxr
C:\WINDOWS\winpk32.dll:wjnna
C:\WINDOWS\winqt32.dll:dlaie
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\zrufx.dat:kqynq

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\apidh.exe
Removed! : C:\WINDOWS\bvpnx.dat
Removed! : C:\WINDOWS\crmz.exe
Removed! : C:\WINDOWS\cxrnu.dat
Removed! : C:\WINDOWS\dlhrt.dat
Removed! : C:\WINDOWS\dvsdd.dat
Removed! : C:\WINDOWS\enyqu.dat
Removed! : C:\WINDOWS\eoxcw.dat
Removed! : C:\WINDOWS\exxwf.dat
Removed! : C:\WINDOWS\fqybg.dat
Removed! : C:\WINDOWS\ijuys.dat
Removed! : C:\WINDOWS\iwdzx.dat
Removed! : C:\WINDOWS\jzsig.dat
Removed! : C:\WINDOWS\mavzh.dat
Removed! : C:\WINDOWS\mevsv.dat
Removed! : C:\WINDOWS\mkpme.dat
Removed! : C:\WINDOWS\nqerb.dat
Removed! : C:\WINDOWS\psmru.dat
Removed! : C:\WINDOWS\pukgp.dat
Removed! : C:\WINDOWS\qshyj.dat
Removed! : C:\WINDOWS\sdkwp.exe
Removed! : C:\WINDOWS\tglwa.dat
Removed! : C:\WINDOWS\vtcad.dat
Removed! : C:\WINDOWS\wuchm.dat
Removed! : C:\WINDOWS\xlfzx.dat
Removed! : C:\WINDOWS\zrufx.dat
Removed! : C:\WINDOWS\System32\apiwc32.exe
Removed! : C:\WINDOWS\System32\avagv.dat
Removed! : C:\WINDOWS\System32\chslv.dat
Removed! : C:\WINDOWS\System32\d3cv32.exe
Removed! : C:\WINDOWS\System32\dygph.dat
Removed! : C:\WINDOWS\System32\ebyjs.dat
Removed! : C:\WINDOWS\System32\feebr.dat
Removed! : C:\WINDOWS\System32\jdmxt.dat
Removed! : C:\WINDOWS\System32\kfrjv.dat
Removed! : C:\WINDOWS\System32\kljho.dat
Removed! : C:\WINDOWS\System32\ldfkn.dat
Removed! : C:\WINDOWS\System32\lycrr.dat
Removed! : C:\WINDOWS\System32\mvztv.dat
Removed! : C:\WINDOWS\System32\oflxj.dat
Removed! : C:\WINDOWS\System32\pbylq.dat
Removed! : C:\WINDOWS\System32\qvdet.dat
Removed! : C:\WINDOWS\System32\sdksi.exe
Removed! : C:\WINDOWS\System32\tdpei.dat
Removed! : C:\WINDOWS\System32\trwkd.dat
Removed! : C:\WINDOWS\System32\winll.exe
Removed! : C:\WINDOWS\System32\wwhqo.dat
Removed! : C:\WINDOWS\System32\yiwsl.dat
Removed! : C:\WINDOWS\System32\zolao.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\addkt.exe:sylyr
C:\WINDOWS\addsh32.dll:gjfcf
C:\WINDOWS\apics32.dll:mnsas
C:\WINDOWS\apijn.dll:dzrnd
C:\WINDOWS\apirg.dll:jtnrd
C:\WINDOWS\apite.dll:qheof
C:\WINDOWS\apiuc32.dll:ihxbz
C:\WINDOWS\appac.dll:peych
C:\WINDOWS\appaf32.dll:jcedd
C:\WINDOWS\apppd.dll:baepf
C:\WINDOWS\atlfh.dll:smdjn
C:\WINDOWS\atlli.dll:tffaq
C:\WINDOWS\atlmg32.dll:ehisn
C:\WINDOWS\atlpc32.dll:imsxx
C:\WINDOWS\atlwo32.dll:qdkka
C:\WINDOWS\atlze32.dll:fpzkr
C:\WINDOWS\bbchk.exe:uqgfy
C:\WINDOWS\CONTROL.INI:ednya
C:\WINDOWS\croh.dll:odyew
C:\WINDOWS\crxj32.dll:mraki
C:\WINDOWS\cryv.dll:nuhxd
C:\WINDOWS\d3lg.dll:okqiw
C:\WINDOWS\d3lq.dll:zwhip
C:\WINDOWS\d3zi.dll:jkgiz
C:\WINDOWS\DELL.BMP:atsid
C:\WINDOWS\enyqu.dat:nszbb
C:\WINDOWS\ieuninst.exe:vwwji
C:\WINDOWS\ippz32.dll:mvmdv
C:\WINDOWS\iprl.dll:nhdwp
C:\WINDOWS\iwdzx.dat:dxoch
C:\WINDOWS\javaoy.dll:xmecz
C:\WINDOWS\ktgrd.txt:zqxrv
C:\WINDOWS\mfcis32.dll:pzfnl
C:\WINDOWS\msdt.dll:pzivs
C:\WINDOWS\msfj32.dll:yupwo
C:\WINDOWS\msrv.dll:nredv
C:\WINDOWS\msua.dll:fahra
C:\WINDOWS\netpg.dll:bnvgn
C:\WINDOWS\netre.dll:wxmsc
C:\WINDOWS\netul.dll:aloat
C:\WINDOWS\netvf32.dll:seyfn
C:\WINDOWS\netvo.dll:pezrk
C:\WINDOWS\notepad.exe:kuppj
C:\WINDOWS\nqerb.dat:jsqmu
C:\WINDOWS\ntnz.dll:pdasw
C:\WINDOWS\nttr32.dll:jtmye
C:\WINDOWS\orvaa.dll:ycoov
C:\WINDOWS\Prairie Wind.bmp:egazb
C:\WINDOWS\pukgp.dat:prpwd
C:\WINDOWS\Q3332171.exe:qibcu
C:\WINDOWS\Q3590703.exe:ukddy
C:\WINDOWS\Q815021.log:xqptp
C:\WINDOWS\Q828026.log:vzvgg
C:\WINDOWS\qfdzb.log:qfwyg
C:\WINDOWS\rhvwpr.dat:aphbz
C:\WINDOWS\sdkam32.dll:rmmek
C:\WINDOWS\sdkms32.dll:kcxcn
C:\WINDOWS\setupapi.log.0.old:putka
C:\WINDOWS\SpyBlocs_IsFirstTime.txt:ijttk
C:\WINDOWS\sysau32.dll:vbqtn
C:\WINDOWS\sysmn32.dll:lglzl
C:\WINDOWS\syswy32.dll:andjn
C:\WINDOWS\UNWISE.EXE:jvayi
C:\WINDOWS\wineb32.dll:gohxr
C:\WINDOWS\winpk32.dll:wjnna
C:\WINDOWS\winqt32.dll:dlaie
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\yqqjf.txt:gmewa
C:\WINDOWS\zrufx.dat:kqynq

Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

guestolo · « **Reply #3 on:** March 12, 2005, 01:47:16 AM »

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [a3d] C:\WINDOWS\System32\a3d.exe
O4 - HKCU\..\Run: [jugsthe] C:\DOCUME~1\LASHAW~1\APPLIC~1\BROWSE~1\flaw loud.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART Your computer
If prompted from any Spyware Protection program about any change, ALLOW IT

Run About:Buster again and post the logs
Also post back a fresh Hijackthis log

holyknight · « **Reply #4 on:** March 12, 2005, 02:41:22 AM »

AboutBuster Log:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:06 AM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #5 on:** March 12, 2005, 02:52:40 AM »

Looks good
HolyKnight, hows everything running?

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

holyknight · « **Reply #6 on:** March 13, 2005, 12:56:43 AM »

Everything is running much better, thanks again. I'll be sure to make my friend express his gratitude in one way or another.

guestolo · « **Reply #7 on:** March 13, 2005, 02:23:20 AM »

I forgot all about this file

Can you let me know if you see it on the hard disk
C:\WINDOWS\System32\a3d.exe <--this file

Can you right click on it and select properities
If there is a version tab can you find what it's related too

holyknight · « **Reply #8 on:** March 13, 2005, 04:08:38 PM »

Hmmm, nope not seeing a file like that, though I do see a a3d.dll file in there.

File version: 4.12.1.2008
Descripion: Audio3D
Copyright: © Copyright 1997-2001 Sensaura Ltd
Comments: Sensaura Audio3D API for DirectSound3D
Company: Sensaura Ltd

guestolo · « **Reply #9 on:** March 13, 2005, 07:53:46 PM »

Thanks for looking Holyknight

This file a3d.dll
is legitimate, we can leave it alone

Take care

TheTechGuide Forum

News:

Author Topic: Tons of adware on this computer! (Read 2048 times)

holyknight

Tons of adware on this computer!

guestolo

Tons of adware on this computer!

holyknight

Tons of adware on this computer!

guestolo

Tons of adware on this computer!

holyknight

Tons of adware on this computer!

guestolo

Tons of adware on this computer!

holyknight

Tons of adware on this computer!

guestolo

Tons of adware on this computer!

holyknight

Tons of adware on this computer!

guestolo

Tons of adware on this computer!