Author Topic: HijackThis Spyware Nightmare (Read 1620 times)

Andyboy · « **on:** January 07, 2005, 03:35:47 PM »

I've installed and run Adaware and Spybot and between them they find plenty of spyware on my machine. But I don't seem to then be able to remove it.
I've now downloaded Hijackthis, and am at a loss as to what to do next, other than set fire to my pc.

Any suggestions as to what to do with the following would be much appreciated...

Logfile of HijackThis v1.99.0
Scan saved at 19:23:17, on 07/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8EB48E63-2152-F316-A524-2B06602A4260} - C:\WINDOWS\sdknk32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Reboot.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)

Thank you...

jcurrieirocz · « **Reply #1 on:** January 07, 2005, 04:44:38 PM »

i assume your attack and spyware is coming in thru activex but by useing SpywareBlaster 3.2 you can block unwanted spyware before it gets on your comp. but that still doesnt help you clean off what you got there now. im not too much more help sorry.

Andyboy · « **Reply #2 on:** January 07, 2005, 06:34:45 PM »

Thanks jcurrieirocz, I'll add activex to my reading list and research list (I'm quite new to computing and eager to learn as much as I can) and I'll organise a SpywareBlaster download as soon as I've resolved this little mess....

Cheers

guestolo · « **Reply #3 on:** January 07, 2005, 09:25:21 PM »

Hi Andyboy, can you do me a favor

Redownload Hijackthis and save it to a Permanent folder

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Once you have done that
Could you also Download and save to desktop ServiceFilter.zip
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Also, post back a Fresh hijackthis log

Andyboy · « **Reply #4 on:** January 08, 2005, 02:51:05 PM »

OK, first up, I've moved the location of hijackthis, rebooted and ran the scan. Log is below;

Logfile of HijackThis v1.99.0
Scan saved at 18:43:10, on 08/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysac.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\sysxs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)

I also downloaded and ran the service filter script you described, though surprised to find onyl the keyboard driver and norton in it? See below....

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Jan 8, 2005 18:39:11

===> Begin Service Listing <===

Unknown Service #1
Service Name: nhksrv
Display Name: Netropa NHK Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\office keyboard utility\1.2\nhksrv.exe
State: Running
Process ID: 1820
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #2
Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\norton antivirus\advtools\nprotect.exe
State: Running
Process ID: 1920
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Finally, I switched to fireox this afternoon, and seem to have much less difficulty with this browser. Still, feel the pc is infected with all sorts....
Suggestions for my next steps much appreciated.
Thanks again..Andyboy

guestolo · « **Reply #5 on:** January 08, 2005, 04:31:42 PM »

Let's try some cleanup on your machine

I'm assuming that your using Firefox
So could you please
Download this zipped file Clean.zip <<Removed link
To make that link work properly you will have to Right click on it and Copy Link Location
Paste it to the Firefox Address bar and hit Go or Enter

Save the zipped file to your desktop and UNZIP the contents to your desktop
We'll need these later, don't run them yet

Could you also Create a New folder on your desktop, call it Aboutbuster
Right click an empty spot on the desktop, Select NEW>>FOLDER
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder
Open About:Buster.exe and check for updates, after updating could you just close it out for now

Can you please print the rest of this out or save it to a Notepad file on your desktop for easy access
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Restart your computer into SAFE MODE

Go to START>>>RUN>>>type in services.msc
and hit Enter or OK
In the next window, look on the right hand side for this service
name---- Network Security Service <--exact service name

Double click on it---If you find it and if not already set to disabled-- STOP the service--
In the drop down menu, change the startup type to Disabled

Do the same thing for
ZESOFT

Stay in safe mode and access your task manager
Right click the bottom task bar and select Task Manager
End process on these if still running

sysxs.exe
sysac.exe

Find and delete these files or folder if they exist
FILES
C:\WINDOWS\sysac.exe <--this file
C:\WINDOWS\system32\sysxs.exe
C:\WINDOWS\system32\apptf32.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\winun32.exe

FOLDER
C:\Program Files\Common Files\tsa <--this folder

Again, in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129

O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll

O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log--- Then hit exit

Right-click on DelDomains.inf and select: Install
This will remove all entries in the "Trusted Zone" and "Ranges"

Double click on cwsserviceremove.reg and Allow it to merge to the Registry
Double click on zesoft.reg Again, allow to merge

Restart back to Normal mode
Ensure your running the latest version of Ad-Aware>>The latest is Ad-Aware SE 1.05
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Ensure you have the latest of Spybot
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX Checked Problems--everything in RED---they should be checked by default

Restart your computer again to finish the cleaning process

Open Hijackthis>>Open Misc Tools Section>>Open Host file manager
If it prompts you to create a new Hosts file--allow it

Search for these files on your computer and let me know if you can find them
There not bad, but may need to be replaced
SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from HERE and unzip it to the default Spybot folder.
* The normal path is C:\Program Files\Spybot - Search & Destroy.
You can check if this feature is enabled,
Open Spybot>>Click Mode>>Advanced Mode>>
Click Tools>>RESIDENT>>Put a check in Resident SDHELPER

Look in your system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled) or prompt
o Script ActiveX controls marked safe for scripting (Prompt)

It's always a good idea after this particular infection to
run an Online Virus scan at Trend Micro's---Set to Autclean

Post back a fresh hijackthis log and let me know how everythings running

Could you also post back the About:Buster logs, thanks

Andyboy · « **Reply #6 on:** January 09, 2005, 06:42:35 PM »

Wow, that was an afternoon's work, but I finally feel that we're getting somewhere.

Brilliant, thank you.

Few points...
I could not find the following files/folders to delete....
FILES

C:\WINDOWS\system32\sysxs.exe
C:\WINDOWS\system32\apptf32.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\winun32.exe

FOLDER
C:\Program Files\Common Files\tsa <--this folder

And, in the HJK scan, I didn't find
O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

And finally, the zesoft registry merge would not proceed, due to the "specified file is not rehistry script"

Any way, all else has gone ok so far.
Below is the HJT log file and below that the about:buster flog file.

Anything else need to be done? Oh' I'm just sorting out the micro trend scan, but I haven't finished downloading required application etc yet.

Thanks for the help so far, you guys are amazing.

Logfile of HijackThis v1.99.0
Scan saved at 22:28:32, on 09/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {649DE2FA-69DB-9E46-A672-0E8D3E4D18A3} - C:\WINDOWS\system32\ipfm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Scanned at: 18:25:30 on: 09/01/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22

Removed Data Streams:
C:\WINDOWS\desktop.ini:vliob
C:\WINDOWS\hicik.dat:yndlr
C:\WINDOWS\KB835732.log:cephb
C:\WINDOWS\KB841356.log:zxbfi
C:\WINDOWS\KB841533.log:ufand
C:\WINDOWS\KB873376.log:nftax
C:\WINDOWS\REGLOCS.OLD:izljj
C:\WINDOWS\setuplog.txt:qsedz
C:\WINDOWS\SIS_LIB.DLL:kjydl
C:\WINDOWS\Soap Bubbles.bmp:drcpn
C:\WINDOWS\svcpack.log:vsvch
C:\WINDOWS\ucatj.dll:gljhn
C:\WINDOWS\vbaddin.ini:ymcmq
C:\WINDOWS\wiaservc.log:qnurk
C:\WINDOWS\winamp.ini:vecvr

Removed 4 Random Key Entries
Removed! : C:\WINDOWS\eaeyb.dat
Removed! : C:\WINDOWS\hicik.dat
Removed! : C:\WINDOWS\mmnvi.dat
Removed! : C:\WINDOWS\system32\aixrc.dat
Removed! : C:\WINDOWS\system32\gnuwz.dat
Removed! : C:\WINDOWS\system32\qrysp.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22

Removed Data Streams:
C:\WINDOWS\desktop.ini:vliob
C:\WINDOWS\hicik.dat:yndlr
C:\WINDOWS\KB835732.log:cephb
C:\WINDOWS\KB841356.log:zxbfi
C:\WINDOWS\KB841533.log:ufand
C:\WINDOWS\KB873376.log:nftax
C:\WINDOWS\REGLOCS.OLD:izljj
C:\WINDOWS\setuplog.txt:qsedz
C:\WINDOWS\SIS_LIB.DLL:kjydl
C:\WINDOWS\Soap Bubbles.bmp:drcpn
C:\WINDOWS\svcpack.log:vsvch
C:\WINDOWS\ucatj.dll:gljhn
C:\WINDOWS\vbaddin.ini:ymcmq
C:\WINDOWS\wiaservc.log:qnurk
C:\WINDOWS\winamp.ini:vecvr

Attempted Clean Of Temp folder.
Pages Reset... Done!

guestolo · « **Reply #7 on:** January 09, 2005, 07:21:16 PM »

The reg script for zesoft works fine on my end, did you unzip the contents first?

Try this
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as zesoft.reg
Save it on the desktop

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZESOFT]

Double click on zesoft.reg and allow to merge

Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {649DE2FA-69DB-9E46-A672-0E8D3E4D18A3} - C:\WINDOWS\system32\ipfm.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer

When your back in Windows can you run a couple more scans with About:Buster
Post the log from it

Also---Where ever you unzipped ServiceFilter too
Open the folder
Inside the folder will be another called "OnlyOnRequest"
Open that folder and copy and paste back the results from
"Services.txt"

Also post back a fresh hijackthis log

Andyboy · « **Reply #8 on:** January 11, 2005, 04:21:58 PM »

OK back on it....

zesoft.reg merge done successfully.

About:buster log as follows;

Scanned at: 19:56:02 on: 11/01/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Looks good right (?)

ServiceFilter 'only on request' log looks like this;
###################################################

Please do not post the contents of this document
unless the person helping you specifically requests
to see Services.txt
Thank You

###################################################

ServiceFilter 1.1
by rand1038

Service Name: Alerter
Display Name: Alerter
Start Mode: Disabled
Start Name: NT AUTHORITY\LocalService
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: ALG
Display Name: Application Layer Gateway Service
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows ...
Service Type: Own Process
Path: c:\windows\system32\alg.exe
State: Running
Process ID: 3128
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: AppMgmt
Display Name: Application Management
Start Mode: Manual
Start Name: LocalSystem
Description: Provides software installation services such as Assign, Publish, and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: aspnet_state
Display Name: ASP.NET State Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v1.1.4322\aspnet_state.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: AudioSrv
Display Name: Windows Audio
Start Mode: Auto
Start Name: LocalSystem
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: BITS
Display Name: Background Intelligent Transfer Service
Start Mode: Manual
Start Name: LocalSystem
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: Browser
Display Name: Computer Browser
Start Mode: Auto
Start Name: LocalSystem
Description: Maintains an updated list of computers on the network and supplies this list to computers ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: ccEvtMgr
Display Name: Symantec Event Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Event ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\ccevtmgr.exe
State: Running
Process ID: 576
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: ccPwdSvc
Display Name: Symantec Password Validation Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\ccpwdsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: cisvc
Display Name: Indexing Service
Start Mode: Manual
Start Name: LocalSystem
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to ...
Service Type: Share Process
Path: c:\windows\system32\cisvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: ClipSrv
Display Name: ClipBook
Start Mode: Disabled
Start Name: LocalSystem
Description: Enables ClipBook Viewer to store information and share it with remote computers. If the service is ...
Service Type: Own Process
Path: c:\windows\system32\clipsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: COMSysApp
Display Name: COM+ System Application
Start Mode: Manual
Start Name: LocalSystem
Description: Manages the configuration and tracking of Component Object Model (COM)+-based components. If the ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: CryptSvc
Display Name: Cryptographic Services
Start Mode: Auto
Start Name: LocalSystem
Description: Provides three management services: Catalog Database Service, which confirms the signatures of ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Start Mode: Auto
Start Name: LocalSystem
Description: Provides launch functionality for DCOM ...
Service Type: Share Process
Path: c:\windows\system32\svchost -k dcomlaunch
State: Running
Process ID: 920
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: Dhcp
Display Name: DHCP Client
Start Mode: Auto
Start Name: LocalSystem
Description: Manages network configuration by registering and updating IP addresses and DNS ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: dmadmin
Display Name: Logical Disk Manager Administrative Service
Start Mode: Manual
Start Name: LocalSystem
Description: Configures hard disk drives and volumes. The service only runs for configuration processes and ...
Service Type: Share Process
Path: c:\windows\system32\dmadmin.exe /com
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: dmserver
Display Name: Logical Disk Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: Dnscache
Display Name: DNS Client
Start Mode: Auto
Start Name: NT AUTHORITY\NetworkService
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k networkservice
State: Running
Process ID: 1164
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: ERSvc
Display Name: Error Reporting Service
Start Mode: Auto
Start Name: LocalSystem
Description: Allows error reporting for services and applictions running in non-standard ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: Eventlog
Display Name: Event Log
Start Mode: Auto
Start Name: LocalSystem
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event ...
Service Type: Share Process
Path: c:\windows\system32\services.exe
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: EventSystem
Display Name: COM+ Event System
Start Mode: Manual
Start Name: LocalSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: FastUserSwitchingCompatibility
Display Name: Fast User Switching Compatibility
Start Mode: Manual
Start Name: LocalSystem
Description: Provides management for applications that require assistance in a multiple user ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: helpsvc
Display Name: Help and Support
Start Mode: Auto
Start Name: LocalSystem
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: HidServ
Display Name: Human Interface Device Access
Start Mode: Disabled
Start Name: LocalSystem
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: HTTPFilter
Display Name: HTTP SSL
Start Mode: Manual
Start Name: LocalSystem
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k httpfilter
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: ImapiService
Display Name: IMAPI CD-Burning COM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this ...
Service Type: Own Process
Path: c:\windows\system32\imapi.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: lanmanserver
Display Name: Server
Start Mode: Auto
Start Name: LocalSystem
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: lanmanworkstation
Display Name: Workstation
Start Mode: Auto
Start Name: LocalSystem
Description: Creates and maintains client network connections to remote servers. If this service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: LmHosts
Display Name: TCP/IP NetBIOS Helper
Start Mode: Auto
Start Name: NT AUTHORITY\LocalService
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: Messenger
Display Name: Messenger
Start Mode: Disabled
Start Name: LocalSystem
Description: Transmits net send and Alerter service messages between clients and servers. This service is not ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: mnmsrvc
Display Name: NetMeeting Remote Desktop Sharing
Start Mode: Manual
Start Name: LocalSystem
Description: Enables an authorized user to access this computer remotely by using NetMeeting over a corporate ...
Service Type: Own Process
Path: c:\windows\system32\mnmsrvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: MSDTC
Display Name: Distributed Transaction Coordinator
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Coordinates transactions that span multiple resource managers, such as databases, message queues, ...
Service Type: Own Process
Path: c:\windows\system32\msdtc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: MSIServer
Display Name: Windows Installer
Start Mode: Manual
Start Name: LocalSystem
Description: Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this ...
Service Type: Share Process
Path: c:\windows\system32\msiexec.exe /v
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: navapsvc
Display Name: Norton AntiVirus Auto Protect Service
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect ...
Service Type: Own Process
Path: c:\program files\norton antivirus\navapsvc.exe
State: Running
Process ID: 664
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: NetDDE
Display Name: Network DDE
Start Mode: Disabled
Start Name: LocalSystem
Description: Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on ...
Service Type: Share Process
Path: c:\windows\system32\netdde.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: NetDDEdsdm
Display Name: Network DDE DSDM
Start Mode: Disabled
Start Name: LocalSystem
Description: Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares ...
Service Type: Share Process
Path: c:\windows\system32\netdde.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: Netlogon
Display Name: Net Logon
Start Mode: Manual
Start Name: LocalSystem
Description: Supports pass-through authentication of account logon events for computers in a ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: Netman
Display Name: Network Connections
Start Mode: Manual
Start Name: LocalSystem
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: nhksrv
Display Name: Netropa NHK Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\office keyboard utility\1.2\nhksrv.exe
State: Running
Process ID: 520
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: Nla
Display Name: Network Location Awareness (NLA)
Start Mode: Manual
Start Name: LocalSystem
Description: Collects and stores network configuration and location information, and notifies applications when ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\norton antivirus\advtools\nprotect.exe
State: Running
Process ID: 804
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: NtLmSsp
Display Name: NT LM Security Support Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Provides security to remote procedure call (RPC) programs that use transports other than named ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: NtmsSvc
Display Name: Removable Storage
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: ose
Display Name: Office Source Engine
Start Mode: Manual
Start Name: LocalSystem
Description: Saves installation files used for updates and repairs and is required for the downloading of Setup ...
Service Type: Own Process
Path: c:\program files\common files\microsoft shared\source engine\ose.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: PlugPlay
Display Name: Plug and Play
Start Mode: Auto
Start Name: LocalSystem
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. ...
Service Type: Share Process
Path: c:\windows\system32\services.exe
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: Pml Driver HPZ12
Display Name: Pml Driver HPZ12
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\hpzipm12.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: PolicyAgent
Display Name: IPSEC Services
Start Mode: Auto
Start Name: LocalSystem
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: ProtectedStorage
Display Name: Protected Storage
Start Mode: Auto
Start Name: LocalSystem
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: RasAuto
Display Name: Remote Access Auto Connection Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: RasMan
Display Name: Remote Access Connection Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Creates a network ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: RDSessMgr
Display Name: Remote Desktop Help Session Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be ...
Service Type: Own Process
Path: c:\windows\system32\sessmgr.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: RemoteAccess
Display Name: Routing and Remote Access
Start Mode: Disabled
Start Name: LocalSystem
Description: Offers routing services to businesses in local area and wide area network ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: RemoteRegistry
Display Name: Remote Registry
Start Mode: Auto
Start Name: NT AUTHORITY\LocalService
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: RpcLocator
Display Name: Remote Procedure Call (RPC) Locator
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Manages the RPC name service ...
Service Type: Own Process
Path: c:\windows\system32\locator.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Start Mode: Auto
Start Name: NT Authority\NetworkService
Description: Provides the endpoint mapper and other miscellaneous RPC ...
Service Type: Share Process
Path: c:\windows\system32\svchost -k rpcss
State: Running
Process ID: 980
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: RSVP
Display Name: QoS RSVP
Start Mode: Manual
Start Name: LocalSystem
Description: Provides network signaling and local traffic control setup functionality for QoS-aware programs ...
Service Type: Own Process
Path: c:\windows\system32\rsvp.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: SamSs
Display Name: Security Accounts Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Stores security information for local user ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: SBService
Display Name: ScriptBlocking Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\common~1\symant~1\script~1\sbserv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Service Name: SCardSvr
Display Name: Smart Card
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Manages access to smart cards read by this computer. If this service is stopped, this computer ...
Service Type: Share Process
Path: c:\windows\system32\scardsvr.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: Schedule
Display Name: Task Scheduler
Start Mode: Auto
Start Name: LocalSystem
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: seclogon
Display Name: Secondary Logon
Start Mode: Auto
Start Name: LocalSystem
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: SENS
Display Name: System Event Notification
Start Mode: Auto
Start Name: LocalSystem
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: SharedAccess
Display Name: Windows Firewall/Internet Connection Sharing (ICS)
Start Mode: Auto
Start Name: LocalSystem
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Service Name: Spooler
Display Name: Print Spooler
Start Mode: Auto
Start Name: LocalSystem
Description: Loads files to memory for later ...
Service Type: Own Process
Path: c:\windows\system32\spoolsv.exe
State: Running
Process ID: 1592
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: srservice
Display Name: System Restore Service
Start Mode: Auto
Start Name: LocalSystem
Description: Performs system restore functions. To stop service, turn off System Restore from the System ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: SSDPSRV
Display Name: SSDP Discovery Service
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Enables discovery of UPnP devices on your home ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: stisvc
Display Name: Windows Image Acquisition (WIA)
Start Mode: Auto
Start Name: LocalSystem
Description: Provides image acquisition services for scanners and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k imgsvc
State: Running
Process ID: 1372
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{a0f87d39-9d38-4c7f-94d8-266c050b199f}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Service Name: SysmonLog
Display Name: Performance Logs and Alerts
Start Mode: Manual
Start Name: NT Authority\NetworkService
Description: Collects performance data from local or remote computers based on preconfigured schedule ...
Service Type: Own Process
Path: c:\windows\system32\smlogsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

And finally, the HJT log looks like this;

Logfile of HijackThis v1.99.0
Scan saved at 20:06:24, on 11/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Woah, a lot of info there.
All visable symptons have stopped at my end, is the machine clear?
Thanks for your help with this, what the best way to show some appreciation round here?

Cheers

Andyboy

guestolo · « **Reply #9 on:** January 11, 2005, 08:41:20 PM »

Thanks for the logs Andy, looks good
Appreciation, keep safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

You should set up extra protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

I see you use Firefox, good move
It's a lot safer browser

For the times that you do need Internet Explorer, you may want to look into this free utility

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

By the way, If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point

Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

Locking this topic, anyone with similiar problems
Please start your own post in this forum, include a Hijackthis log

TheTechGuide Forum

News:

Author Topic: HijackThis Spyware Nightmare (Read 1620 times)

Andyboy

HijackThis Spyware Nightmare

jcurrieirocz

HijackThis Spyware Nightmare

Andyboy

HijackThis Spyware Nightmare

guestolo

HijackThis Spyware Nightmare

Andyboy

HijackThis Spyware Nightmare

guestolo

HijackThis Spyware Nightmare

Andyboy

HijackThis Spyware Nightmare

guestolo

HijackThis Spyware Nightmare

Andyboy

HijackThis Spyware Nightmare

guestolo

HijackThis Spyware Nightmare