Author Topic: CoolWWWSearch.Leftovers (Read 1976 times)

Guest_Eric_* · « **on:** April 03, 2005, 10:25:55 PM »

Please help!

I've been hijacked by CoolWWWSearch.Leftovers. SpyBot finds it, says it deletes it, but it always comes back. Microsoft Anti-Spyware identifies it, says it deletes it, but it always comes back.

Here's my HiJackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 10:20:05 PM, on 4/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Registry Clean Expert\RCScheduler.exe
D:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Registry Clean Pro\Scheduler.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\HPZipm12.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Eaze-E\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {75FA9147-0A9D-4C07-9AC6-FAC95CC5F32C} - D:\WINDOWS\System32\heho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] D:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "D:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: Scheduler.lnk = D:\Program Files\Registry Clean Pro\Scheduler.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O18 - Filter: text/html - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll
O18 - Filter: text/plain - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

EWSchneider · « **Reply #1 on:** April 03, 2005, 11:10:49 PM »

This is my registered screen name...

guestolo · « **Reply #2 on:** April 04, 2005, 12:49:31 AM »

download Startdreck.zip startdreck.zip

UNZIP to a folder. DoubleClick: 'StartDreck.exe'
First click on the config button.
Now click the Unmark all button
Under "System/Drivers, put a check by these boxes only:
*Mark NT Services
*List binaries
*NT Kernel- and FS Drivers
Now click the Save button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here

Could you also
Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log

Along with a fresh Hijackthis log

EWSchneider · « **Reply #3 on:** April 06, 2005, 05:22:42 PM »

STARTDRECK.LOG
StartDreck (build 2.1.7 public stable) - 2005-04-06 @ 17:14:55 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Eaze-E at HOME

»Registry
»Files
»System/Drivers
»NT Services
*Alerter   Alerter   -   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Application Layer Gateway Service   ALG   -   on demand
`binary: D:\WINDOWS\System32\alg.exe
*Application Management   AppMgmt   -   on demand
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*ASP.NET State Service   aspnet_state   -   on demand
`binary: D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
*Windows Audio   AudioSrv   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Background Intelligent Transfer Service   BITS   -   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Computer Browser   Browser   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Indexing Service   cisvc   -   on demand
`binary: D:\WINDOWS\System32\cisvc.exe
*ClipBook   ClipSrv   -   on demand
`binary: D:\WINDOWS\system32\clipsrv.exe
*COM+ System Application   COMSysApp   -   on demand
`binary: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
*Cryptographic Services   CryptSvc   running   auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*DHCP Client   Dhcp   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Logical Disk Manager Administrative Service   dmadmin   -   on demand
`binary: D:\WINDOWS\System32\dmadmin.exe /com
*Logical Disk Manager   dmserver   -   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*DNS Client   Dnscache   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k NetworkService
*Error Reporting Service   ERSvc   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Event Log   Eventlog   running   auto
`binary: D:\WINDOWS\system32\services.exe
*COM+ Event System   EventSystem   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Fast User Switching Compatibility   FastUserSwitchingCom   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Help and Support   helpsvc   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Human Interface Device Access   HidServ   -   disabled
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*IMAPI CD-Burning COM Service   ImapiService   -   on demand
`binary: D:\WINDOWS\System32\imapi.exe
*iPod Service   iPodService   running   on demand
`binary: D:\Program Files\iPod\bin\iPodService.exe
*Kaspersky Anti-Virus Service   KLBLMain   running   auto
`binary: D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000
*Server   lanmanserver   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Workstation   lanmanworkstation   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*TCP/IP NetBIOS Helper   LmHosts   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Messenger   Messenger   -   disabled
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*NetMeeting Remote Desktop Sharing   mnmsrvc   -   on demand
`binary: D:\WINDOWS\System32\mnmsrvc.exe
*Distributed Transaction Coordinator   MSDTC   -   on demand
`binary: D:\WINDOWS\System32\msdtc.exe
*Windows Installer   MSIServer   -   on demand
`binary: D:\WINDOWS\System32\msiexec.exe /V
*Network DDE   NetDDE   -   on demand
`binary: D:\WINDOWS\system32\netdde.exe
*Network DDE DSDM   NetDDEdsdm   -   on demand
`binary: D:\WINDOWS\system32\netdde.exe
*Net Logon   Netlogon   -   on demand
`binary: D:\WINDOWS\System32\lsass.exe
*Network Connections   Netman   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Network Location Awareness (NLA)   Nla   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*NT LM Security Support Provider   NtLmSsp   -   on demand
`binary: D:\WINDOWS\System32\lsass.exe
*Removable Storage   NtmsSvc   -   on demand
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*NVIDIA Driver Helper Service   NVSvc   running   auto
`binary: D:\WINDOWS\System32\nvsvc32.exe
*Plug and Play   PlugPlay   running   auto
`binary: D:\WINDOWS\system32\services.exe
*Pml Driver HPZ12   Pml Driver HPZ12   running   on demand
`binary: D:\WINDOWS\System32\HPZipm12.exe
*IPSEC Services   PolicyAgent   running   auto
`binary: D:\WINDOWS\System32\lsass.exe
*Protected Storage   ProtectedStorage   running   auto
`binary: D:\WINDOWS\system32\lsass.exe
*Remote Access Auto Connection Manager   RasAuto   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Access Connection Manager   RasMan   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Desktop Help Session Manager   RDSessMgr   -   on demand
`binary: D:\WINDOWS\system32\sessmgr.exe
*Routing and Remote Access   RemoteAccess   -   disabled
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Remote Procedure Call (RPC) Locator   RpcLocator   -   on demand
`binary: D:\WINDOWS\System32\locator.exe
*Remote Procedure Call (RPC)   RpcSs   running   auto
`binary: D:\WINDOWS\system32\svchost -k rpcss
*QoS RSVP   RSVP   -   on demand
`binary: D:\WINDOWS\System32\rsvp.exe
*Security Accounts Manager   SamSs   running   auto
`binary: D:\WINDOWS\system32\lsass.exe
*Smart Card Helper   SCardDrv   -   on demand
`binary: D:\WINDOWS\System32\SCardSvr.exe
*Smart Card   SCardSvr   -   on demand
`binary: D:\WINDOWS\System32\SCardSvr.exe
*Task Scheduler   Schedule   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Secondary Logon   seclogon   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*System Event Notification   SENS   running   auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Internet Connection Firewall (ICF) / Internet C   SharedAccess   -   on demand
`onnection Sharing (ICS)
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Shell Hardware Detection   ShellHWDetection   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Print Spooler   Spooler   running   auto
`binary: D:\WINDOWS\system32\spoolsv.exe
*System Restore Service   srservice   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*SSDP Discovery Service   SSDPSRV   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Image Acquisition (WIA)   stisvc   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k imgsvc
*MS Software Shadow Copy Provider   SwPrv   -   on demand
`binary: D:\WINDOWS\System32\dllhost.exe /Processid:{9C4C0947-D2A1-4F40-A54D-9C31A7A74C9D}
*Performance Logs and Alerts   SysmonLog   -   on demand
`binary: D:\WINDOWS\system32\smlogsvc.exe
*Telephony   TapiSrv   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Terminal Services   TermService   running   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Themes   Themes   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Distributed Link Tracking Client   TrkWks   running   auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Upload Manager   uploadmgr   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*Universal Plug and Play Device Host   upnphost   -   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Uninterruptible Power Supply   UPS   -   on demand
`binary: D:\WINDOWS\System32\ups.exe
*Volume Shadow Copy   VSS   -   on demand
`binary: D:\WINDOWS\System32\vssvc.exe
*Windows Time   W32Time   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*WAN Miniport (ATW) Service   WANMiniportService   running   auto
`binary: "D:\WINDOWS\wanmpsvc.exe"
*WebClient   WebClient   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k LocalService
*Windows Management Instrumentation   winmgmt   running   auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*WMDM PMSP Service   WMDM PMSP Service   running   auto
`binary: D:\WINDOWS\System32\MsPMSPSv.exe
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*WMI Performance Adapter   WmiApSrv   -   on demand
`binary: D:\WINDOWS\System32\wbem\wmiapsrv.exe
*Automatic Updates   wuauserv   running   auto
`binary: D:\WINDOWS\system32\svchost.exe -k netsvcs
*Wireless Zero Configuration   WZCSVC   running   auto
`binary: D:\WINDOWS\System32\svchost.exe -k netsvcs
*YPCService   YPCService   -   on demand
`binary: D:\WINDOWS\system32\YPCSER~1.EXE
»NT Kernel- and FS-drivers
*Abiosdsk   Abiosdsk   -   disabled
`binary:
*abp480n5   abp480n5   -   disabled
`binary:
*Intel® 82801 Audio Driver Install Service (WD   ac97intc   running   on demand
`M)
`binary: system32\drivers\ac97intc.sys
*Microsoft ACPI Driver   ACPI   running   boot
`binary: \SystemRoot\System32\DRIVERS\ACPI.sys
*ACPIEC   ACPIEC   -   disabled
`binary:
*adpu160m   adpu160m   -   disabled
`binary:
*Microsoft Kernel Acoustic Echo Canceller   aec   -   on demand
`binary: system32\drivers\aec.sys
*AFD Networking Support Environment   AFD   running   auto
`binary: \SystemRoot\System32\drivers\afd.sys
*Intel AGP Bus Filter   agp440   running   boot
`binary: \SystemRoot\System32\DRIVERS\agp440.sys
*Aha154x   Aha154x   -   disabled
`binary:
*aic78u2   aic78u2   -   disabled
`binary:
*aic78xx   aic78xx   -   disabled
`binary:
*AliIde   AliIde   -   disabled
`binary:
*amsint   amsint   -   disabled
`binary:
*asc   asc   -   disabled
`binary:
*asc3350p   asc3350p   -   disabled
`binary:
*asc3550   asc3550   -   disabled
`binary:
*RAS Asynchronous Media Driver   AsyncMac   -   on demand
`binary: System32\DRIVERS\asyncmac.sys
*Standard IDE/ESDI Hard Disk Controller   atapi   running   boot
`binary: \SystemRoot\System32\DRIVERS\atapi.sys
*Atdisk   Atdisk   -   disabled
`binary:
*ATM ARP Client Protocol   Atmarpc   -   on demand
`binary: System32\DRIVERS\atmarpc.sys
*Audio Stub Driver   audstub   running   on demand
`binary: System32\DRIVERS\audstub.sys
*Beep   Beep   running   system
`binary:
*cbidf2k   cbidf2k   -   disabled
`binary:
*cd20xrnt   cd20xrnt   -   disabled
`binary:
*Cdaudio   Cdaudio   -   system
`binary:
*Cdfs   Cdfs   running   disabled
`binary:
*CD-ROM Driver   Cdrom   running   system
`binary: System32\DRIVERS\cdrom.sys
*Changer   Changer   -   system
`binary:
*CmdIde   CmdIde   -   disabled
`binary:
*Cpqarray   Cpqarray   -   disabled
`binary:
*dac960nt   dac960nt   -   disabled
`binary:
*Disk Driver   Disk   running   boot
`binary: \SystemRoot\System32\DRIVERS\disk.sys
*dmboot   dmboot   -   disabled
`binary: System32\drivers\dmboot.sys
*dmio   dmio   -   disabled
`binary: System32\drivers\dmio.sys
*dmload   dmload   -   disabled
`binary: System32\drivers\dmload.sys
*Microsoft Kernel DLS Syntheiszer   DMusic   -   on demand
`binary: system32\drivers\DMusic.sys
*dpti2o   dpti2o   -   disabled
`binary:
*Microsoft Kernel DRM Audio Descrambler   drmkaud   -   on demand
`binary: system32\drivers\drmkaud.sys
*Fastfat   Fastfat   -   disabled
`binary:
*Floppy Disk Controller Driver   Fdc   running   on demand
`binary: System32\DRIVERS\fdc.sys
*Fips   Fips   running   system
`binary:
*Floppy Disk Driver   Flpydisk   running   on demand
`binary: System32\DRIVERS\flpydisk.sys
*Volume Manager Driver   Ftdisk   running   boot
`binary: \SystemRoot\System32\DRIVERS\ftdisk.sys
*Game Port Enumerator   gameenum   running   on demand
`binary: System32\DRIVERS\gameenum.sys
*GEAR CDRom Filter   GEARAspiWDM   running   on demand
`binary: SYSTEM32\DRIVERS\GEARAspiWDM.sys
*Generic Packet Classifier   Gpc   running   on demand
`binary: System32\DRIVERS\msgpc.sys
*Intel HaM Data Fax Voice   ham50   -   on demand
`binary: System32\DRIVERS\ham50.sys
*HCF_MSFT   HCF_MSFT   running   on demand
`binary: System32\DRIVERS\HCF_MSFT.sys
*hpn   hpn   -   disabled
`binary:
*hpt3xx   hpt3xx   -   disabled
`binary:
*IEEE-1284.4 Driver HPZid412   HPZid412   running   on demand
`binary: System32\DRIVERS\HPZid412.sys
*Print Class Driver for IEEE-1284.4 HPZipr12   HPZipr12   running   on demand
`binary: System32\DRIVERS\HPZipr12.sys
*USB to IEEE-1284.4 Translation Driver HPZius12   HPZius12   running   on demand
`binary: System32\DRIVERS\HPZius12.sys
*i2omgmt   i2omgmt   -   system
`binary:
*i2omp   i2omp   -   disabled
`binary:
*i8042 Keyboard and PS/2 Mouse Port Driver   i8042prt   running   system
`binary: System32\DRIVERS\i8042prt.sys
*Imapi   Imapi   running   system
`binary:
*ini910u   ini910u   -   disabled
`binary:
*IntelIde   IntelIde   running   boot
`binary: \SystemRoot\System32\DRIVERS\intelide.sys
*Microsoft IntelliPoint Features driver   IPFilter   running   on demand
`binary: System32\DRIVERS\IPFilter.sys
*IP Traffic Filter Driver   IpFilterDriver   -   on demand
`binary: System32\DRIVERS\ipfltdrv.sys
*IP in IP Tunnel Driver   IpInIp   -   on demand
`binary: System32\DRIVERS\ipinip.sys
*IP Network Address Translator   IpNat   -   on demand
`binary: System32\DRIVERS\ipnat.sys
*IPSEC driver   IPSec   running   system
`binary: System32\DRIVERS\ipsec.sys
*IR Enumerator Service   IRENUM   -   on demand
`binary: System32\DRIVERS\irenum.sys
*PnP ISA/EISA Bus Driver   isapnp   running   boot
`binary: \SystemRoot\System32\DRIVERS\isapnp.sys
*Keyboard Class Driver   Kbdclass   running   system
`binary: System32\DRIVERS\kbdclass.sys
*Klif   Klif   running   system
`binary: \??\D:\WINDOWS\System32\Drivers\klif.sys
*Klmc   Klmc   running   boot
`binary: \SystemRoot\System32\Drivers\klmc.sys
*Microsoft Kernel Wave Audio Mixer   kmixer   -   on demand
`binary: system32\drivers\kmixer.sys
*KSecDD   KSecDD   running   boot
`binary:
*lbrtfdc   lbrtfdc   -   system
`binary:
*mnmdd   mnmdd   running   system
`binary:
*Modem   Modem   running   on demand
`binary:
*Unimodem Streaming Filter Device   MODEMCSA   -   on demand
`binary: system32\drivers\MODEMCSA.sys
*Mouse Class Driver   Mouclass   running   system
`binary: System32\DRIVERS\mouclass.sys
*MountMgr   MountMgr   running   boot
`binary:
*mraid35x   mraid35x   -   disabled
`binary:
*WebDav Client Redirector   MRxDAV   running   on demand
`binary: System32\DRIVERS\mrxdav.sys
*MRxSmb   MRxSmb   running   system
`binary: System32\DRIVERS\mrxsmb.sys
*Msfs   Msfs   running   system
`binary:
*Microsoft Streaming Service Proxy   MSKSSRV   -   on demand
`binary: system32\drivers\MSKSSRV.sys
*Microsoft Streaming Clock Proxy   MSPCLOCK   -   on demand
`binary: system32\drivers\MSPCLOCK.sys
*Microsoft Streaming Quality Manager Proxy   MSPQM   -   on demand
`binary: system32\drivers\MSPQM.sys
*Mup   Mup   running   boot
`binary:
*NDIS System Driver   NDIS   running   boot
`binary:
*Remote Access NDIS TAPI Driver   NdisTapi   running   on demand
`binary: System32\DRIVERS\ndistapi.sys
*NDIS Usermode I/O Protocol   Ndisuio   running   on demand
`binary: System32\DRIVERS\ndisuio.sys
*Remote Access NDIS WAN Driver   NdisWan   running   on demand
`binary: System32\DRIVERS\ndiswan.sys
*NDIS Proxy   NDProxy   running   on demand
`binary:
*NetBIOS Interface   NetBIOS   running   system
`binary: System32\DRIVERS\netbios.sys
*NetBios over Tcpip   NetBT   running   system
`binary: System32\DRIVERS\netbt.sys
*Npfs   Npfs   running   system
`binary:
*Ntfs   Ntfs   running   disabled
`binary:
*Null   Null   running   system
`binary:
*nv   nv   running   on demand
`binary: System32\DRIVERS\nv4_mini.sys
*nv4   nv4   -   on demand
`binary: System32\DRIVERS\nv4.sys
*IPX Traffic Filter Driver   NwlnkFlt   -   on demand
`binary: System32\DRIVERS\nwlnkflt.sys
*IPX Traffic Forwarder Driver   NwlnkFwd   -   on demand
`binary: System32\DRIVERS\nwlnkfwd.sys
*Parallel port driver   Parport   running   on demand
`binary: System32\DRIVERS\parport.sys
*PartMgr   PartMgr   running   boot
`binary:
*ParVdm   ParVdm   running   auto
`binary:
*PCI Bus Driver   PCI   running   boot
`binary: \SystemRoot\System32\DRIVERS\pci.sys
*PCIDump   PCIDump   -   system
`binary:
*PCIIde   PCIIde   -   disabled
`binary:
*Pcmcia   Pcmcia   -   disabled
`binary:
*PDCOMP   PDCOMP   -   on demand
`binary:
*PDFRAME   PDFRAME   -   on demand
`binary:
*PDRELI   PDRELI   -   on demand
`binary:
*PDRFRAME   PDRFRAME   -   on demand
`binary:
*perc2   perc2   -   disabled
`binary:
*perc2hib   perc2hib   -   disabled
`binary:
*WAN Miniport (PPTP)   PptpMiniport   running   on demand
`binary: System32\DRIVERS\raspptp.sys
*Processor Driver   Processor   running   system
`binary: System32\DRIVERS\processr.sys
*QoS Packet Scheduler   PSched   running   on demand
`binary: System32\DRIVERS\psched.sys
*Direct Parallel Link Driver   Ptilink   running   on demand
`binary: System32\DRIVERS\ptilink.sys
*ql1080   ql1080   -   disabled
`binary:
*Ql10wnt   Ql10wnt   -   disabled
`binary:
*ql12160   ql12160   -   disabled
`binary:
*ql1240   ql1240   -   disabled
`binary:
*ql1280   ql1280   -   disabled
`binary:
*Remote Access Auto Connection Driver   RasAcd   running   system
`binary: System32\DRIVERS\rasacd.sys
*WAN Miniport (L2TP)   Rasl2tp   running   on demand
`binary: System32\DRIVERS\rasl2tp.sys
*Remote Access PPPOE Driver   RasPppoe   running   on demand
`binary: System32\DRIVERS\raspppoe.sys
*Direct Parallel   Raspti   running   on demand
`binary: System32\DRIVERS\raspti.sys
*Rdbss   Rdbss   running   system
`binary: System32\DRIVERS\rdbss.sys
*RDPCDD   RDPCDD   running   system
`binary: System32\DRIVERS\RDPCDD.sys
*RDPWD   RDPWD   -   on demand
`binary:
*Digital CD Audio Playback Filter Driver   redbook   running   system
`binary: System32\DRIVERS\redbook.sys
*Realtek RTL8139(A/B/C)-based PCI Fast Ethernet    rtl8139   running   on demand
`Adapter NT Driver
`binary: System32\DRIVERS\RTL8139.SYS
*Secdrv   Secdrv   -   on demand
`binary: System32\DRIVERS\secdrv.sys
*SAMSUNG YEPP   SECYPUSB   -   on demand
`binary: System32\Drivers\SECYEPPX.sys
*Serenum Filter Driver   serenum   running   on demand
`binary: System32\DRIVERS\serenum.sys
*Serial port driver   Serial   running   system
`binary: System32\DRIVERS\serial.sys
*Sfloppy   Sfloppy   -   system
`binary:
*Simbad   Simbad   -   disabled
`binary:
*Sparrow   Sparrow   -   disabled
`binary:
*Microsoft Kernel Audio Splitter   splitter   -   on demand
`binary: system32\drivers\splitter.sys
*System Restore Filter Driver   sr   running   boot
`binary: \SystemRoot\System32\DRIVERS\sr.sys
*Srv   Srv   running   on demand
`binary: System32\DRIVERS\srv.sys
*Software Bus Driver   swenum   running   on demand
`binary: System32\DRIVERS\swenum.sys
*Microsoft Kernel GS Wavetable Synthesizer   swmidi   -   on demand
`binary: system32\drivers\swmidi.sys
*symc810   symc810   -   disabled
`binary:
*symc8xx   symc8xx   -   disabled
`binary:
*sym_hi   sym_hi   -   disabled
`binary:
*sym_u3   sym_u3   -   disabled
`binary:
*Microsoft Kernel System Audio Device   sysaudio   running   on demand
`binary: system32\drivers\sysaudio.sys
*TCP/IP Protocol Driver   Tcpip   running   system
`binary: System32\DRIVERS\tcpip.sys
*TDPIPE   TDPIPE   -   on demand
`binary:
*TDTCP   TDTCP   -   on demand
`binary:
*Terminal Device Driver   TermDD   running   system
`binary: System32\DRIVERS\termdd.sys
*TosIde   TosIde   -   disabled
`binary:
*TSP   TSP   -   on demand
`binary: \??\D:\WINDOWS\system32\drivers\klif.sys
*Udfs   Udfs   -   disabled
`binary:
*ultra   ultra   -   disabled
`binary:
*Microcode Update Driver   Update   running   on demand
`binary: System32\DRIVERS\update.sys
*Microsoft USB Generic Parent Driver   usbccgp   running   on demand
`binary: System32\DRIVERS\usbccgp.sys
*USB2 Enabled Hub   usbhub   running   on demand
`binary: System32\DRIVERS\usbhub.sys
*Microsoft USB PRINTER Class   usbprint   running   on demand
`binary: System32\DRIVERS\usbprint.sys
*USB Scanner Driver   usbscan   running   on demand
`binary: System32\DRIVERS\usbscan.sys
*Motorola USB Modem Driver   usbser   -   on demand
`binary: System32\DRIVERS\usbser.sys
*USB Mass Storage Driver   USBSTOR   -   on demand
`binary: System32\DRIVERS\USBSTOR.SYS
*Microsoft USB Universal Host Controller Minipor   usbuhci   running   on demand
`t Driver
`binary: System32\DRIVERS\usbuhci.sys
*VgaSave   VgaSave   running   system
`binary: \SystemRoot\System32\drivers\vga.sys
*ViaIde   ViaIde   -   disabled
`binary:
*VolSnap   VolSnap   running   boot
`binary:
*Remote Access IP ARP Driver   Wanarp   running   on demand
`binary: System32\DRIVERS\wanarp.sys
*WAN Miniport (ATW)   wanatw   running   on demand
`binary: System32\DRIVERS\wanatw4.sys
*Windows CE USB Serial Host Driver   wceusbsh   -   on demand
`binary: System32\DRIVERS\wceusbsh.sys
*WDICA   WDICA   -   on demand
`binary:
*Microsoft WINMM WDM Audio Compatibility Driver   wdmaud   running   on demand
`binary: system32\drivers\wdmaud.sys
*MaxDrive XBox Driver (xbreader.sys)   xbreader   -   on demand
`binary: System32\Drivers\xbreader.sys
»Application specific

DLLCOMPARE

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,241 items found: 1,241 files, 0 directories.
Total of file sizes: 238,501,418 bytes 227.45 M

Administrator Account = True

--------------------End log---------------------

HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 5:17:30 PM, on 4/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Registry Clean Expert\RCScheduler.exe
D:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Registry Clean Pro\Scheduler.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\HPZipm12.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Eaze-E\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {75FA9147-0A9D-4C07-9AC6-FAC95CC5F32C} - D:\WINDOWS\System32\heho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] D:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "D:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O18 - Filter: text/html - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll
O18 - Filter: text/plain - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

Let me know what else you need...

Thanks! Eric

guestolo · « **Reply #4 on:** April 06, 2005, 10:12:57 PM »

I asked you too set up Startdreck wrong, my fault, but let's try the following

Can you save Hijackthis too a permanent folder please
EG...//
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT
This is important because HijackThis makes backups to that same folder

You can redownload Hijackthis from my signature below
and save it to that new folder

==Download and Unzip to your desktop SpSeHjFix112.zip
from this link, ensure you download the correct version for your operating system

=====Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup
Install for now, don't run a scan yet

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {75FA9147-0A9D-4C07-9AC6-FAC95CC5F32C} - D:\WINDOWS\System32\heho.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - blank (file missing)

O4 - HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Eaze-E\LOCALS~1\Temp\se.dll,DllInstall

O9 - Extra button: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {73EF0A5E-5EA3-406B-96A7-67FEDB5E7810} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A0934742-16C7-4504-892F-C7172A709EA4} - (no file) (HKCU)

O18 - Filter: text/html - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll
O18 - Filter: text/plain - {2CACA663-CEE4-4D80-B0AE-9218BA904D3C} - D:\WINDOWS\System32\heho.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer or log off yet

==Double click to run SpSeHjFix112.exe>>ensure you unzipped this
Click the Start Disinfection
Let it scan>>It should Reboot your computer
Allow to restart back to Normal mode

Back in Windows>>Run another scan with Hijackthis and post the log
Also post the log from SpSeHjFix112.exe

Could you also run Startdreck in this manner and post the log
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

Guest · « **Reply #5 on:** April 07, 2005, 07:20:42 PM »

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 7:19:16 PM, on 4/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Registry Clean Expert\RCScheduler.exe
D:\Program Files\America Online 8.0\aoltray.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\WINDOWS\System32\msiexec.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Eaze-E\Local Settings\Temporary Internet Files\Content.IE5\VISBFLS5\startdreck217[1]\StartDreck.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] D:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "D:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

SCANDRECK LOG

StartDreck (build 2.1.7 public stable) - 2005-04-07 @ 19:17:45 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Eaze-E at HOME

»Registry
»Run Keys
»Current User
»Run
*MSMSGS="D:\Program Files\Messenger\msmsgs.exe" /background
*H/PC Connection Agent="D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
*RegClean Expert Scheduler="D:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*nwiz=nwiz.exe /install
*iTunesHelper=D:\Program Files\iTunes\iTunesHelper.exe
*QuickTime Task="D:\Program Files\QuickTime\qttask.exe" -atboottime
*YBrowser=D:\Program Files\Yahoo!\browser\ybrwicon.exe
*IPInSightLAN 02="D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
*IPInSightMonitor 02="D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
*Motive SmartBridge=D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
*HP Software Update="C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
*HP Component Manager="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
*TkBellExe="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*KAV50="D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
*gcasServ="D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
*THGuard="C:\TrojanHunter 4.2\THGuard.exe"
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=d:\program files\google\googletoolbar1.dll
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+432=\SystemRoot\System32\smss.exe
+480=\??\D:\WINDOWS\system32\csrss.exe
+504=\??\D:\WINDOWS\system32\winlogon.exe
+548=D:\WINDOWS\system32\services.exe
+560=D:\WINDOWS\system32\lsass.exe
+724=D:\WINDOWS\system32\svchost.exe
+776=D:\WINDOWS\System32\svchost.exe
+892=D:\WINDOWS\System32\svchost.exe
+908=D:\WINDOWS\System32\svchost.exe
+1060=D:\WINDOWS\system32\spoolsv.exe
+1300=D:\WINDOWS\Explorer.EXE
+1396=D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
+1412=D:\WINDOWS\System32\nvsvc32.exe
+1484=D:\WINDOWS\System32\svchost.exe
+1544=D:\WINDOWS\wanmpsvc.exe
+1636=D:\WINDOWS\System32\MsPMSPSv.exe
+1212=D:\Program Files\iTunes\iTunesHelper.exe
+1220=D:\Program Files\QuickTime\qttask.exe
+1204=D:\Program Files\Yahoo!\browser\ybrwicon.exe
+1256=D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
+1272=D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
+1360=C:\Program Files\HP\HP Software Update\HPWuSchd.exe
+1476=D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
+1380=D:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1572=D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
+1480=D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
+1516=<unkown>
+1836=D:\Program Files\Messenger\msmsgs.exe
+1848=D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
+1948=D:\PROGRA~1\Yahoo!\browser\ycommon.exe
+1964=D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+764=D:\Program Files\iPod\bin\iPodService.exe
+772=D:\WINDOWS\System32\wuauclt.exe
+2216=D:\Program Files\Registry Clean Expert\RCScheduler.exe
+2256=D:\Program Files\America Online 8.0\aoltray.exe
+2516=D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
+2728=D:\WINDOWS\System32\msiexec.exe
+3504=D:\Program Files\Internet Explorer\iexplore.exe
+2832=D:\Documents and Settings\Eaze-E\Local Settings\Temporary Internet Files\Content.IE5\VISBFLS5\startdreck217[1]\StartDreck.exe
»Application specific

Seems like everythings working...

guestolo · « **Reply #6 on:** April 08, 2005, 01:20:28 AM »

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

The next ones are not required on startup, you should fix them too

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [IPInSightLAN 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "D:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer and post back one more log

Guest_EWSchneider_* · « **Reply #7 on:** April 09, 2005, 03:31:18 PM »

Here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 3:23:48 PM, on 4/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Registry Clean Expert\RCScheduler.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\System32\msiexec.exe
D:\WINDOWS\System32\MsiExec.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis.exe
C:\HJT\hijackthis.exe
C:\HJT\hijackthis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [YBrowser] D:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KAV50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "D:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - D:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - D:\WINDOWS\system32\YPCSER~1.EXE

Now there is another problem... something pops up with the titlebar reading "COPY" and it a million little windows come up saying "Internal Error 2908" followed by {JKHFD983928RFHDF} (i just made those bracketed numbers up). I can CNTRL+ALT+DEL and stop the program, but I can't remove it.

TheTechGuide Forum

News:

Author Topic: CoolWWWSearch.Leftovers (Read 1976 times)

Guest_Eric_*

CoolWWWSearch.Leftovers

EWSchneider

CoolWWWSearch.Leftovers

guestolo

CoolWWWSearch.Leftovers

EWSchneider

CoolWWWSearch.Leftovers

guestolo

CoolWWWSearch.Leftovers

Guest

CoolWWWSearch.Leftovers

guestolo

CoolWWWSearch.Leftovers

Guest_EWSchneider_*

CoolWWWSearch.Leftovers