Author Topic: HTS log - smart security (Read 1534 times)

shermansen · « **on:** April 07, 2005, 08:27:11 PM »

I'm working on a friend's PC from church. He has the "red-screen" desktop of death, i.e Smart Security hijacker.

Computer: Gateway 500L.

Just upgraded to SBC DSL (1.8m speedtest). Got infected with the smart security trojan. Steps so far:

-Ran Norton's in normal mode
-downloaded Windows Updates (security updates for SP1 & SP2...)
-Ran Norton's in safe mode
-ran www.smartsecurity.info/removal.html once - didn't need regedits
-ran Adaware twice, normal mode
-ran Spybot twice, normal mode

Ran HJT - here is the log... Any help is appreciated!!! The guy's wife is ready to shoot me for "fussing with the computer..."... THANKS!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:14:21 PM, on 4/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\winsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\System32\PD6000SM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINNT\system32\open32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINNT\system32\gah95on6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S1T0A2.EXE
C:\hjt\hijackthis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINNT\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINNT\system32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: winupdate34123894[1].exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {DFFA083B-6AD6-4EA7-8A94-CDC0F4E7D854} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DFFA083B-6AD6-4EA7-8A94-CDC0F4E7D854} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O20 - AppInit_DLLs: C:\WINNT\NMSOCKNT.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINNT\system32\winsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

guestolo · « **Reply #1 on:** April 08, 2005, 08:02:21 PM »

This computer has a few problems, but you should be able to get it running clean again
Do the following
==Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup
Install for now, don't run a scan yet

==Download and UNZIP to desktop
HSFIX.zip
HSFix directory will be created>>Ensure you save this to your C:\drive
We'll need this later

===Download and save to deskop
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

==Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In safe mode
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Windows update Service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Access your Add/Remove Programs and remove if found
Media Access

Stay in safe mode
Find and delete these files or folders if found and if you can
C:\WINNT\system32\gah95on6.exe <-file
C:\WINNT\system32\ap9h4qmo.exe <-file
C:\WINNT\system32\open32.exe <-file
C:\WINNT\system32\wldr.dll <-file
C:\WINNT\desktop.html <-file
C:\WINNT\Web\desktop.html <-file
C:\Documents and Settings\<Your User>\Start Menu\Programs\Startup\winupdate34123894[1].exe<-file

C:\Program Files\Media Access <-folder

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINNT\system32\gah95on6.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe

O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: winupdate34123894[1].exe

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {DFFA083B-6AD6-4EA7-8A94-CDC0F4E7D854} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DFFA083B-6AD6-4EA7-8A94-CDC0F4E7D854} - (no file) (HKCU)

O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer or log off yet

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt
Navigate to hslog.txt and right click on it and rename it oo
hslog1.txt

Afterwards
Run HSFix.bat again

Restart back to Normal mode

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
C:\WINNT\system32\winsvc.exe<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results

Can you scan this file too
C:\WINNT\NMSOCKNT.DLL

could you then do an Online Virus scan at Panda's
You may want to disable Norton's Auto Protect while running the scan
When it's done save the Incident Report
http://www.pandasoftware.com/products/acti...n_principal.htm

Restart your computer after running the Online virus scan

Come back here and post a fresh Hijackthis log
The 2 logs by HSFix.bat
C:\hslog.txt and C:\hslog1.txt
Also post back the report by Panda's

shermansen · « **Reply #2 on:** April 09, 2005, 04:04:08 PM »

guestolo - thanks. Here's the logs as requested. desktop still appears to have been jacked w/ the graphic. Thanks for the help - this guy's wife is ready to shoot him for infecting her work PC...

HSFIX logs:

Service load: 0% 100%

File: winsvc.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VBA32 Found Unknown.Win32Virus (probable variant)

Service load: 0% 100%

File: NMSockNT.dll
Status: OK
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

HJT - log one:
Logfile of HijackThis v1.99.1
Scan saved at 2:10:54 PM, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINNT\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Tec] C:\WINNT\system32\Kon.exe
O4 - HKLM\..\Run: [Sah] C:\WINNT\Orp.exe
O4 - HKLM\..\Run: [Ffh] C:\WINNT\system32\Tmo.exe
O4 - HKLM\..\Run: [Dmq] C:\WINNT\system32\Auh.exe
O4 - HKLM\..\Run: [Cdq] C:\WINNT\system32\Pge.exe
O4 - HKLM\..\Run: [Bis] C:\WINNT\Akf.exe
O4 - HKLM\..\Run: [Pkb] C:\WINNT\system32\Fhh.exe
O4 - HKLM\..\Run: [Oct] C:\WINNT\system32\Bua.exe
O4 - HKLM\..\Run: [Rju] C:\WINNT\system32\Tpn.exe
O4 - HKLM\..\Run: [Ecg] C:\WINNT\Ads.exe
O4 - HKLM\..\Run: [Veh] C:\WINNT\system32\Uie.exe
O4 - HKLM\..\Run: [Uum] C:\WINNT\system32\Sbo.exe
O4 - HKLM\..\Run: [Pcu] C:\WINNT\Mbp.exe
O4 - HKLM\..\Run: [Unr] C:\WINNT\Maj.exe
O4 - HKLM\..\Run: [Jaf] C:\WINNT\system32\Qah.exe
O4 - HKLM\..\Run: [Ctu] C:\WINNT\Iga.exe
O4 - HKLM\..\Run: [Poq] C:\WINNT\system32\Mri.exe
O4 - HKLM\..\Run: [Akt] C:\WINNT\system32\Hrl.exe
O4 - HKLM\..\Run: [Smo] C:\WINNT\system32\Rjf.exe
O4 - HKLM\..\Run: [Rfj] C:\WINNT\Hqa.exe
O4 - HKLM\..\Run: [Vrv] C:\WINNT\system32\Tdp.exe
O4 - HKLM\..\Run: [Vlr] C:\WINNT\Hvq.exe
O4 - HKLM\..\Run: [Ofi] C:\WINNT\Bjk.exe
O4 - HKLM\..\Run: [Lcu] C:\WINNT\Tlj.exe
O4 - HKLM\..\Run: [Itb] C:\WINNT\system32\Lmd.exe
O4 - HKLM\..\Run: [Ifj] C:\WINNT\system32\Esu.exe
O4 - HKLM\..\Run: [Srk] C:\WINNT\Qsv.exe
O4 - HKLM\..\Run: [Ioa] C:\WINNT\Cpc.exe
O4 - HKLM\..\Run: [Aud] C:\WINNT\Lfc.exe
O4 - HKLM\..\Run: [Kvq] C:\WINNT\system32\Qro.exe
O4 - HKLM\..\Run: [Jqf] C:\WINNT\Oqm.exe
O4 - HKLM\..\Run: [Ldp] C:\WINNT\Mcf.exe
O4 - HKLM\..\Run: [Qcs] C:\WINNT\Brd.exe
O4 - HKLM\..\Run: [Dlg] C:\WINNT\system32\Ihq.exe
O4 - HKLM\..\Run: [Qav] C:\WINNT\system32\Gel.exe
O4 - HKLM\..\Run: [Nmv] C:\WINNT\system32\Ssv.exe
O4 - HKLM\..\Run: [Bkt] C:\WINNT\system32\Bgg.exe
O4 - HKLM\..\Run: [Fjg] C:\WINNT\system32\Mke.exe
O4 - HKLM\..\Run: [Iot] C:\WINNT\Qet.exe
O4 - HKLM\..\Run: [Vtp] C:\WINNT\Hve.exe
O4 - HKLM\..\Run: [Bak] C:\WINNT\Jin.exe
O4 - HKLM\..\Run: [Tsl] C:\WINNT\system32\Bug.exe
O4 - HKLM\..\Run: [Uve] C:\WINNT\Goj.exe
O4 - HKLM\..\Run: [Evk] C:\WINNT\Nci.exe
O4 - HKLM\..\Run: [Egv] C:\WINNT\system32\Beu.exe
O4 - HKLM\..\Run: [Dqo] C:\WINNT\Ppm.exe
O4 - HKLM\..\Run: [Aog] C:\WINNT\Lvv.exe
O4 - HKLM\..\Run: [Dld] C:\WINNT\Gsn.exe
O4 - HKLM\..\Run: [Bik] C:\WINNT\Nfe.exe
O4 - HKLM\..\Run: [Sbr] C:\WINNT\system32\Mlk.exe
O4 - HKLM\..\Run: [Shs] C:\WINNT\system32\Nfv.exe
O4 - HKLM\..\Run: [Jir] C:\WINNT\system32\Vua.exe
O4 - HKLM\..\Run: [Stf] C:\WINNT\system32\Ouh.exe
O4 - HKLM\..\Run: [Psf] C:\WINNT\Lkj.exe
O4 - HKLM\..\Run: [Qtn] C:\WINNT\system32\Tpe.exe
O4 - HKLM\..\Run: [Rtd] C:\WINNT\system32\Mjm.exe
O4 - HKLM\..\Run: [Vkq] C:\WINNT\Qql.exe
O4 - HKLM\..\Run: [Mot] C:\WINNT\Csi.exe
O4 - HKLM\..\Run: [Ccd] C:\WINNT\Gkp.exe
O4 - HKLM\..\Run: [Cub] C:\WINNT\system32\Aqr.exe
O4 - HKLM\..\Run: [Ocg] C:\WINNT\Snv.exe
O4 - HKLM\..\Run: [Ihm] C:\WINNT\system32\Bjd.exe
O4 - HKLM\..\Run: [Lop] C:\WINNT\Eno.exe
O4 - HKLM\..\Run: [Gtv] C:\WINNT\Ado.exe
O4 - HKLM\..\Run: [Ijg] C:\WINNT\Uno.exe
O4 - HKLM\..\Run: [Fpm] C:\WINNT\Kjb.exe
O4 - HKLM\..\Run: [Vab] C:\WINNT\system32\Pgb.exe
O4 - HKLM\..\Run: [Nrp] C:\WINNT\system32\Pbe.exe
O4 - HKLM\..\Run: [Bec] C:\WINNT\Bau.exe
O4 - HKLM\..\Run: [Tpv] C:\WINNT\Scn.exe
O4 - HKLM\..\Run: [Vte] C:\WINNT\Cha.exe
O4 - HKLM\..\Run: [Qvp] C:\WINNT\Mmv.exe
O4 - HKLM\..\Run: [Msj] C:\WINNT\system32\Jcv.exe
O4 - HKLM\..\Run: [Cea] C:\WINNT\Adp.exe
O4 - HKLM\..\Run: [Pog] C:\WINNT\Cbl.exe
O4 - HKLM\..\Run: [Mgc] C:\WINNT\Uoi.exe
O4 - HKLM\..\Run: [Ell] C:\WINNT\system32\Adp.exe
O4 - HKLM\..\Run: [Sgt] C:\WINNT\Nju.exe
O4 - HKLM\..\Run: [Jme] C:\WINNT\Ubf.exe
O4 - HKLM\..\Run: [Gpc] C:\WINNT\Tts.exe
O4 - HKLM\..\Run: [Bgd] C:\WINNT\Inf.exe
O4 - HKLM\..\Run: [Fpq] C:\WINNT\system32\Ppq.exe
O4 - HKLM\..\Run: [Fvb] C:\WINNT\Rfs.exe
O4 - HKLM\..\Run: [Nhd] C:\WINNT\system32\Dan.exe
O4 - HKLM\..\Run: [Jsa] C:\WINNT\Qmt.exe
O4 - HKLM\..\Run: [Ula] C:\WINNT\Lku.exe
O4 - HKLM\..\Run: [Ail] C:\WINNT\Ikr.exe
O4 - HKLM\..\Run: [Tss] C:\WINNT\system32\Ced.exe
O4 - HKLM\..\Run: [Qns] C:\WINNT\Dkc.exe
O4 - HKLM\..\Run: [Etc] C:\WINNT\Lpj.exe
O4 - HKLM\..\Run: [Afe] C:\WINNT\system32\Mcb.exe
O4 - HKLM\..\Run: [Dcp] C:\WINNT\Uiq.exe
O4 - HKLM\..\Run: [Igl] C:\WINNT\Kbs.exe
O4 - HKLM\..\Run: [Tnr] C:\WINNT\system32\Gog.exe
O4 - HKLM\..\Run: [Jgt] C:\WINNT\system32\Bip.exe
O4 - HKLM\..\Run: [Bjf] C:\WINNT\Acf.exe
O4 - HKLM\..\Run: [Jge] C:\WINNT\Jlr.exe
O4 - HKLM\..\Run: [Flg] C:\WINNT\system32\Gor.exe
O4 - HKLM\..\Run: [Tfc] C:\WINNT\system32\Hej.exe
O4 - HKLM\..\Run: [Oiu] C:\WINNT\system32\Opn.exe
O4 - HKLM\..\Run: [Lnp] C:\WINNT\system32\Klo.exe
O4 - HKLM\..\Run: [Qli] C:\WINNT\system32\Qnu.exe
O4 - HKLM\..\Run: [Iov] C:\WINNT\Ele.exe
O4 - HKLM\..\Run: [Qlu] C:\WINNT\Abm.exe
O4 - HKLM\..\Run: [Gak] C:\WINNT\Bot.exe
O4 - HKLM\..\Run: [Edh] C:\WINNT\Hfg.exe
O4 - HKLM\..\Run: [Kjq] C:\WINNT\Sdb.exe
O4 - HKLM\..\Run: [Oan] C:\WINNT\system32\Afs.exe
O4 - HKLM\..\Run: [Srp] C:\WINNT\system32\Fhk.exe
O4 - HKLM\..\Run: [Bdu] C:\WINNT\Plt.exe
O4 - HKLM\..\Run: [Icj] C:\WINNT\system32\Dnn.exe
O4 - HKLM\..\Run: [Hfu] C:\WINNT\system32\Nth.exe
O4 - HKLM\..\Run: [Pmh] C:\WINNT\system32\Pmn.exe
O4 - HKLM\..\Run: [Ugl] C:\WINNT\Gbc.exe
O4 - HKLM\..\Run: [Lgk] C:\WINNT\Lnq.exe
O4 - HKLM\..\Run: [Rud] C:\WINNT\system32\Sfc.exe
O4 - HKLM\..\Run: [Vjd] C:\WINNT\system32\Hsa.exe
O4 - HKLM\..\Run: [Snv] C:\WINNT\system32\Nra.exe
O4 - HKLM\..\Run: [Jsq] C:\WINNT\Gjf.exe
O4 - HKLM\..\Run: [Rru] C:\WINNT\system32\Ads.exe
O4 - HKLM\..\Run: [Cno] C:\WINNT\system32\Mdn.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O20 - AppInit_DLLs: C:\WINNT\NMSOCKNT.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

HJT - log after steps above:
Logfile of HijackThis v1.99.1
Scan saved at 3:54:19 PM, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\System32\PD6000SM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINNT\Ppm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wscntfy.exe
C:\hjt\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINNT\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Tec] C:\WINNT\system32\Kon.exe
O4 - HKLM\..\Run: [Sah] C:\WINNT\Orp.exe
O4 - HKLM\..\Run: [Ffh] C:\WINNT\system32\Tmo.exe
O4 - HKLM\..\Run: [Dmq] C:\WINNT\system32\Auh.exe
O4 - HKLM\..\Run: [Cdq] C:\WINNT\system32\Pge.exe
O4 - HKLM\..\Run: [Bis] C:\WINNT\Akf.exe
O4 - HKLM\..\Run: [Pkb] C:\WINNT\system32\Fhh.exe
O4 - HKLM\..\Run: [Oct] C:\WINNT\system32\Bua.exe
O4 - HKLM\..\Run: [Rju] C:\WINNT\system32\Tpn.exe
O4 - HKLM\..\Run: [Ecg] C:\WINNT\Ads.exe
O4 - HKLM\..\Run: [Veh] C:\WINNT\system32\Uie.exe
O4 - HKLM\..\Run: [Uum] C:\WINNT\system32\Sbo.exe
O4 - HKLM\..\Run: [Pcu] C:\WINNT\Mbp.exe
O4 - HKLM\..\Run: [Unr] C:\WINNT\Maj.exe
O4 - HKLM\..\Run: [Jaf] C:\WINNT\system32\Qah.exe
O4 - HKLM\..\Run: [Ctu] C:\WINNT\Iga.exe
O4 - HKLM\..\Run: [Poq] C:\WINNT\system32\Mri.exe
O4 - HKLM\..\Run: [Akt] C:\WINNT\system32\Hrl.exe
O4 - HKLM\..\Run: [Smo] C:\WINNT\system32\Rjf.exe
O4 - HKLM\..\Run: [Rfj] C:\WINNT\Hqa.exe
O4 - HKLM\..\Run: [Vrv] C:\WINNT\system32\Tdp.exe
O4 - HKLM\..\Run: [Vlr] C:\WINNT\Hvq.exe
O4 - HKLM\..\Run: [Ofi] C:\WINNT\Bjk.exe
O4 - HKLM\..\Run: [Lcu] C:\WINNT\Tlj.exe
O4 - HKLM\..\Run: [Itb] C:\WINNT\system32\Lmd.exe
O4 - HKLM\..\Run: [Ifj] C:\WINNT\system32\Esu.exe
O4 - HKLM\..\Run: [Srk] C:\WINNT\Qsv.exe
O4 - HKLM\..\Run: [Ioa] C:\WINNT\Cpc.exe
O4 - HKLM\..\Run: [Aud] C:\WINNT\Lfc.exe
O4 - HKLM\..\Run: [Kvq] C:\WINNT\system32\Qro.exe
O4 - HKLM\..\Run: [Jqf] C:\WINNT\Oqm.exe
O4 - HKLM\..\Run: [Ldp] C:\WINNT\Mcf.exe
O4 - HKLM\..\Run: [Qcs] C:\WINNT\Brd.exe
O4 - HKLM\..\Run: [Dlg] C:\WINNT\system32\Ihq.exe
O4 - HKLM\..\Run: [Qav] C:\WINNT\system32\Gel.exe
O4 - HKLM\..\Run: [Nmv] C:\WINNT\system32\Ssv.exe
O4 - HKLM\..\Run: [Bkt] C:\WINNT\system32\Bgg.exe
O4 - HKLM\..\Run: [Fjg] C:\WINNT\system32\Mke.exe
O4 - HKLM\..\Run: [Iot] C:\WINNT\Qet.exe
O4 - HKLM\..\Run: [Vtp] C:\WINNT\Hve.exe
O4 - HKLM\..\Run: [Bak] C:\WINNT\Jin.exe
O4 - HKLM\..\Run: [Tsl] C:\WINNT\system32\Bug.exe
O4 - HKLM\..\Run: [Uve] C:\WINNT\Goj.exe
O4 - HKLM\..\Run: [Evk] C:\WINNT\Nci.exe
O4 - HKLM\..\Run: [Egv] C:\WINNT\system32\Beu.exe
O4 - HKLM\..\Run: [Dqo] C:\WINNT\Ppm.exe
O4 - HKLM\..\Run: [Aog] C:\WINNT\Lvv.exe
O4 - HKLM\..\Run: [Dld] C:\WINNT\Gsn.exe
O4 - HKLM\..\Run: [Bik] C:\WINNT\Nfe.exe
O4 - HKLM\..\Run: [Sbr] C:\WINNT\system32\Mlk.exe
O4 - HKLM\..\Run: [Shs] C:\WINNT\system32\Nfv.exe
O4 - HKLM\..\Run: [Jir] C:\WINNT\system32\Vua.exe
O4 - HKLM\..\Run: [Stf] C:\WINNT\system32\Ouh.exe
O4 - HKLM\..\Run: [Psf] C:\WINNT\Lkj.exe
O4 - HKLM\..\Run: [Qtn] C:\WINNT\system32\Tpe.exe
O4 - HKLM\..\Run: [Rtd] C:\WINNT\system32\Mjm.exe
O4 - HKLM\..\Run: [Vkq] C:\WINNT\Qql.exe
O4 - HKLM\..\Run: [Mot] C:\WINNT\Csi.exe
O4 - HKLM\..\Run: [Ccd] C:\WINNT\Gkp.exe
O4 - HKLM\..\Run: [Cub] C:\WINNT\system32\Aqr.exe
O4 - HKLM\..\Run: [Ocg] C:\WINNT\Snv.exe
O4 - HKLM\..\Run: [Ihm] C:\WINNT\system32\Bjd.exe
O4 - HKLM\..\Run: [Lop] C:\WINNT\Eno.exe
O4 - HKLM\..\Run: [Gtv] C:\WINNT\Ado.exe
O4 - HKLM\..\Run: [Ijg] C:\WINNT\Uno.exe
O4 - HKLM\..\Run: [Fpm] C:\WINNT\Kjb.exe
O4 - HKLM\..\Run: [Vab] C:\WINNT\system32\Pgb.exe
O4 - HKLM\..\Run: [Nrp] C:\WINNT\system32\Pbe.exe
O4 - HKLM\..\Run: [Bec] C:\WINNT\Bau.exe
O4 - HKLM\..\Run: [Tpv] C:\WINNT\Scn.exe
O4 - HKLM\..\Run: [Vte] C:\WINNT\Cha.exe
O4 - HKLM\..\Run: [Qvp] C:\WINNT\Mmv.exe
O4 - HKLM\..\Run: [Msj] C:\WINNT\system32\Jcv.exe
O4 - HKLM\..\Run: [Cea] C:\WINNT\Adp.exe
O4 - HKLM\..\Run: [Pog] C:\WINNT\Cbl.exe
O4 - HKLM\..\Run: [Mgc] C:\WINNT\Uoi.exe
O4 - HKLM\..\Run: [Ell] C:\WINNT\system32\Adp.exe
O4 - HKLM\..\Run: [Sgt] C:\WINNT\Nju.exe
O4 - HKLM\..\Run: [Jme] C:\WINNT\Ubf.exe
O4 - HKLM\..\Run: [Gpc] C:\WINNT\Tts.exe
O4 - HKLM\..\Run: [Bgd] C:\WINNT\Inf.exe
O4 - HKLM\..\Run: [Fpq] C:\WINNT\system32\Ppq.exe
O4 - HKLM\..\Run: [Fvb] C:\WINNT\Rfs.exe
O4 - HKLM\..\Run: [Nhd] C:\WINNT\system32\Dan.exe
O4 - HKLM\..\Run: [Jsa] C:\WINNT\Qmt.exe
O4 - HKLM\..\Run: [Ula] C:\WINNT\Lku.exe
O4 - HKLM\..\Run: [Ail] C:\WINNT\Ikr.exe
O4 - HKLM\..\Run: [Tss] C:\WINNT\system32\Ced.exe
O4 - HKLM\..\Run: [Qns] C:\WINNT\Dkc.exe
O4 - HKLM\..\Run: [Etc] C:\WINNT\Lpj.exe
O4 - HKLM\..\Run: [Afe] C:\WINNT\system32\Mcb.exe
O4 - HKLM\..\Run: [Dcp] C:\WINNT\Uiq.exe
O4 - HKLM\..\Run: [Igl] C:\WINNT\Kbs.exe
O4 - HKLM\..\Run: [Tnr] C:\WINNT\system32\Gog.exe
O4 - HKLM\..\Run: [Jgt] C:\WINNT\system32\Bip.exe
O4 - HKLM\..\Run: [Bjf] C:\WINNT\Acf.exe
O4 - HKLM\..\Run: [Jge] C:\WINNT\Jlr.exe
O4 - HKLM\..\Run: [Flg] C:\WINNT\system32\Gor.exe
O4 - HKLM\..\Run: [Tfc] C:\WINNT\system32\Hej.exe
O4 - HKLM\..\Run: [Oiu] C:\WINNT\system32\Opn.exe
O4 - HKLM\..\Run: [Lnp] C:\WINNT\system32\Klo.exe
O4 - HKLM\..\Run: [Qli] C:\WINNT\system32\Qnu.exe
O4 - HKLM\..\Run: [Iov] C:\WINNT\Ele.exe
O4 - HKLM\..\Run: [Qlu] C:\WINNT\Abm.exe
O4 - HKLM\..\Run: [Gak] C:\WINNT\Bot.exe
O4 - HKLM\..\Run: [Edh] C:\WINNT\Hfg.exe
O4 - HKLM\..\Run: [Kjq] C:\WINNT\Sdb.exe
O4 - HKLM\..\Run: [Oan] C:\WINNT\system32\Afs.exe
O4 - HKLM\..\Run: [Srp] C:\WINNT\system32\Fhk.exe
O4 - HKLM\..\Run: [Bdu] C:\WINNT\Plt.exe
O4 - HKLM\..\Run: [Icj] C:\WINNT\system32\Dnn.exe
O4 - HKLM\..\Run: [Hfu] C:\WINNT\system32\Nth.exe
O4 - HKLM\..\Run: [Pmh] C:\WINNT\system32\Pmn.exe
O4 - HKLM\..\Run: [Ugl] C:\WINNT\Gbc.exe
O4 - HKLM\..\Run: [Lgk] C:\WINNT\Lnq.exe
O4 - HKLM\..\Run: [Rud] C:\WINNT\system32\Sfc.exe
O4 - HKLM\..\Run: [Vjd] C:\WINNT\system32\Hsa.exe
O4 - HKLM\..\Run: [Snv] C:\WINNT\system32\Nra.exe
O4 - HKLM\..\Run: [Jsq] C:\WINNT\Gjf.exe
O4 - HKLM\..\Run: [Rru] C:\WINNT\system32\Ads.exe
O4 - HKLM\..\Run: [Cno] C:\WINNT\system32\Mdn.exe
O4 - HKLM\..\Run: [Hcl] C:\WINNT\system32\Abo.exe
O4 - HKLM\..\Run: [Rra] C:\WINNT\system32\Ikm.exe
O4 - HKLM\..\Run: [Ejn] C:\WINNT\system32\Oui.exe
O4 - HKLM\..\Run: [Odo] C:\WINNT\system32\Hgd.exe
O4 - HKLM\..\Run: [Bni] C:\WINNT\system32\Hgf.exe
O4 - HKLM\..\Run: [Ntv] C:\WINNT\system32\Pgn.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tec] C:\WINNT\system32\Kon.exe
O4 - HKCU\..\Run: [Sah] C:\WINNT\Orp.exe
O4 - HKCU\..\Run: [Ffh] C:\WINNT\system32\Tmo.exe
O4 - HKCU\..\Run: [Dmq] C:\WINNT\system32\Auh.exe
O4 - HKCU\..\Run: [Cdq] C:\WINNT\system32\Pge.exe
O4 - HKCU\..\Run: [Bis] C:\WINNT\Akf.exe
O4 - HKCU\..\Run: [Pkb] C:\WINNT\system32\Fhh.exe
O4 - HKCU\..\Run: [Oct] C:\WINNT\system32\Bua.exe
O4 - HKCU\..\Run: [Rju] C:\WINNT\system32\Tpn.exe
O4 - HKCU\..\Run: [Ecg] C:\WINNT\Ads.exe
O4 - HKCU\..\Run: [Veh] C:\WINNT\system32\Uie.exe
O4 - HKCU\..\Run: [Uum] C:\WINNT\system32\Sbo.exe
O4 - HKCU\..\Run: [Pcu] C:\WINNT\Mbp.exe
O4 - HKCU\..\Run: [Unr] C:\WINNT\Maj.exe
O4 - HKCU\..\Run: [Jaf] C:\WINNT\system32\Qah.exe
O4 - HKCU\..\Run: [Ctu] C:\WINNT\Iga.exe
O4 - HKCU\..\Run: [Poq] C:\WINNT\system32\Mri.exe
O4 - HKCU\..\Run: [Akt] C:\WINNT\system32\Hrl.exe
O4 - HKCU\..\Run: [Smo] C:\WINNT\system32\Rjf.exe
O4 - HKCU\..\Run: [Rfj] C:\WINNT\Hqa.exe
O4 - HKCU\..\Run: [Vrv] C:\WINNT\system32\Tdp.exe
O4 - HKCU\..\Run: [Vlr] C:\WINNT\Hvq.exe
O4 - HKCU\..\Run: [Ofi] C:\WINNT\Bjk.exe
O4 - HKCU\..\Run: [Lcu] C:\WINNT\Tlj.exe
O4 - HKCU\..\Run: [Itb] C:\WINNT\system32\Lmd.exe
O4 - HKCU\..\Run: [Ifj] C:\WINNT\system32\Esu.exe
O4 - HKCU\..\Run: [Srk] C:\WINNT\Qsv.exe
O4 - HKCU\..\Run: [Ioa] C:\WINNT\Cpc.exe
O4 - HKCU\..\Run: [Aud] C:\WINNT\Lfc.exe
O4 - HKCU\..\Run: [Kvq] C:\WINNT\system32\Qro.exe
O4 - HKCU\..\Run: [Jqf] C:\WINNT\Oqm.exe
O4 - HKCU\..\Run: [Ldp] C:\WINNT\Mcf.exe
O4 - HKCU\..\Run: [Qcs] C:\WINNT\Brd.exe
O4 - HKCU\..\Run: [Dlg] C:\WINNT\system32\Ihq.exe
O4 - HKCU\..\Run: [Qav] C:\WINNT\system32\Gel.exe
O4 - HKCU\..\Run: [Nmv] C:\WINNT\system32\Ssv.exe
O4 - HKCU\..\Run: [Bkt] C:\WINNT\system32\Bgg.exe
O4 - HKCU\..\Run: [Fjg] C:\WINNT\system32\Mke.exe
O4 - HKCU\..\Run: [Iot] C:\WINNT\Qet.exe
O4 - HKCU\..\Run: [Vtp] C:\WINNT\Hve.exe
O4 - HKCU\..\Run: [Bak] C:\WINNT\Jin.exe
O4 - HKCU\..\Run: [Tsl] C:\WINNT\system32\Bug.exe
O4 - HKCU\..\Run: [Uve] C:\WINNT\Goj.exe
O4 - HKCU\..\Run: [Evk] C:\WINNT\Nci.exe
O4 - HKCU\..\Run: [Egv] C:\WINNT\system32\Beu.exe
O4 - HKCU\..\Run: [Dqo] C:\WINNT\Ppm.exe
O4 - HKCU\..\Run: [Aog] C:\WINNT\Lvv.exe
O4 - HKCU\..\Run: [Dld] C:\WINNT\Gsn.exe
O4 - HKCU\..\Run: [Bik] C:\WINNT\Nfe.exe
O4 - HKCU\..\Run: [Sbr] C:\WINNT\system32\Mlk.exe
O4 - HKCU\..\Run: [Shs] C:\WINNT\system32\Nfv.exe
O4 - HKCU\..\Run: [Jir] C:\WINNT\system32\Vua.exe
O4 - HKCU\..\Run: [Stf] C:\WINNT\system32\Ouh.exe
O4 - HKCU\..\Run: [Psf] C:\WINNT\Lkj.exe
O4 - HKCU\..\Run: [Qtn] C:\WINNT\system32\Tpe.exe
O4 - HKCU\..\Run: [Rtd] C:\WINNT\system32\Mjm.exe
O4 - HKCU\..\Run: [Vkq] C:\WINNT\Qql.exe
O4 - HKCU\..\Run: [Mot] C:\WINNT\Csi.exe
O4 - HKCU\..\Run: [Ccd] C:\WINNT\Gkp.exe
O4 - HKCU\..\Run: [Cub] C:\WINNT\system32\Aqr.exe
O4 - HKCU\..\Run: [Ocg] C:\WINNT\Snv.exe
O4 - HKCU\..\Run: [Ihm] C:\WINNT\system32\Bjd.exe
O4 - HKCU\..\Run: [Lop] C:\WINNT\Eno.exe
O4 - HKCU\..\Run: [Gtv] C:\WINNT\Ado.exe
O4 - HKCU\..\Run: [Ijg] C:\WINNT\Uno.exe
O4 - HKCU\..\Run: [Fpm] C:\WINNT\Kjb.exe
O4 - HKCU\..\Run: [Vab] C:\WINNT\system32\Pgb.exe
O4 - HKCU\..\Run: [Nrp] C:\WINNT\system32\Pbe.exe
O4 - HKCU\..\Run: [Bec] C:\WINNT\Bau.exe
O4 - HKCU\..\Run: [Tpv] C:\WINNT\Scn.exe
O4 - HKCU\..\Run: [Vte] C:\WINNT\Cha.exe
O4 - HKCU\..\Run: [Qvp] C:\WINNT\Mmv.exe
O4 - HKCU\..\Run: [Msj] C:\WINNT\system32\Jcv.exe
O4 - HKCU\..\Run: [Cea] C:\WINNT\Adp.exe
O4 - HKCU\..\Run: [Pog] C:\WINNT\Cbl.exe
O4 - HKCU\..\Run: [Mgc] C:\WINNT\Uoi.exe
O4 - HKCU\..\Run: [Ell] C:\WINNT\system32\Adp.exe
O4 - HKCU\..\Run: [Sgt] C:\WINNT\Nju.exe
O4 - HKCU\..\Run: [Jme] C:\WINNT\Ubf.exe
O4 - HKCU\..\Run: [Gpc] C:\WINNT\Tts.exe
O4 - HKCU\..\Run: [Bgd] C:\WINNT\Inf.exe
O4 - HKCU\..\Run: [Fpq] C:\WINNT\system32\Ppq.exe
O4 - HKCU\..\Run: [Fvb] C:\WINNT\Rfs.exe
O4 - HKCU\..\Run: [Nhd] C:\WINNT\system32\Dan.exe
O4 - HKCU\..\Run: [Jsa] C:\WINNT\Qmt.exe
O4 - HKCU\..\Run: [Ula] C:\WINNT\Lku.exe
O4 - HKCU\..\Run: [Ail] C:\WINNT\Ikr.exe
O4 - HKCU\..\Run: [Tss] C:\WINNT\system32\Ced.exe
O4 - HKCU\..\Run: [Qns] C:\WINNT\Dkc.exe
O4 - HKCU\..\Run: [Etc] C:\WINNT\Lpj.exe
O4 - HKCU\..\Run: [Afe] C:\WINNT\system32\Mcb.exe
O4 - HKCU\..\Run: [Dcp] C:\WINNT\Uiq.exe
O4 - HKCU\..\Run: [Igl] C:\WINNT\Kbs.exe
O4 - HKCU\..\Run: [Tnr] C:\WINNT\system32\Gog.exe
O4 - HKCU\..\Run: [Jgt] C:\WINNT\system32\Bip.exe
O4 - HKCU\..\Run: [Bjf] C:\WINNT\Acf.exe
O4 - HKCU\..\Run: [Jge] C:\WINNT\Jlr.exe
O4 - HKCU\..\Run: [Flg] C:\WINNT\system32\Gor.exe
O4 - HKCU\..\Run: [Tfc] C:\WINNT\system32\Hej.exe
O4 - HKCU\..\Run: [Oiu] C:\WINNT\system32\Opn.exe
O4 - HKCU\..\Run: [Lnp] C:\WINNT\system32\Klo.exe
O4 - HKCU\..\Run: [Qli] C:\WINNT\system32\Qnu.exe
O4 - HKCU\..\Run: [Iov] C:\WINNT\Ele.exe
O4 - HKCU\..\Run: [Qlu] C:\WINNT\Abm.exe
O4 - HKCU\..\Run: [Gak] C:\WINNT\Bot.exe
O4 - HKCU\..\Run: [Edh] C:\WINNT\Hfg.exe
O4 - HKCU\..\Run: [Kjq] C:\WINNT\Sdb.exe
O4 - HKCU\..\Run: [Oan] C:\WINNT\system32\Afs.exe
O4 - HKCU\..\Run: [Srp] C:\WINNT\system32\Fhk.exe
O4 - HKCU\..\Run: [Bdu] C:\WINNT\Plt.exe
O4 - HKCU\..\Run: [Icj] C:\WINNT\system32\Dnn.exe
O4 - HKCU\..\Run: [Hfu] C:\WINNT\system32\Nth.exe
O4 - HKCU\..\Run: [Pmh] C:\WINNT\system32\Pmn.exe
O4 - HKCU\..\Run: [Ugl] C:\WINNT\Gbc.exe
O4 - HKCU\..\Run: [Lgk] C:\WINNT\Lnq.exe
O4 - HKCU\..\Run: [Rud] C:\WINNT\system32\Sfc.exe
O4 - HKCU\..\Run: [Vjd] C:\WINNT\system32\Hsa.exe
O4 - HKCU\..\Run: [Snv] C:\WINNT\system32\Nra.exe
O4 - HKCU\..\Run: [Jsq] C:\WINNT\Gjf.exe
O4 - HKCU\..\Run: [Rru] C:\WINNT\system32\Ads.exe
O4 - HKCU\..\Run: [Cno] C:\WINNT\system32\Mdn.exe
O4 - HKCU\..\Run: [Hcl] C:\WINNT\system32\Abo.exe
O4 - HKCU\..\Run: [Rra] C:\WINNT\system32\Ikm.exe
O4 - HKCU\..\Run: [Ejn] C:\WINNT\system32\Oui.exe
O4 - HKCU\..\Run: [Odo] C:\WINNT\system32\Hgd.exe
O4 - HKCU\..\Run: [Bni] C:\WINNT\system32\Hgf.exe
O4 - HKCU\..\Run: [Ntv] C:\WINNT\system32\Pgn.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O20 - AppInit_DLLs: C:\WINNT\NMSOCKNT.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Panda log:

Incident Status Location

Spyware:Spyware/Slimield No disinfected C:\WINNT\Lvv.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Kon.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Orp.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Tmo.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Auh.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Pge.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Akf.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Fhh.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Bua.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Tpn.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Ads.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Uie.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Sbo.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Mbp.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Maj.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Qah.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Iga.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Mri.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Hrl.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Rjf.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Hqa.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Tdp.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Hvq.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Bjk.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Tlj.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Lmd.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\system32\Esu.exe
Spyware:Spyware/Slimield No disinfected C:\WINNT\Qsv.exe
Spyware:Spyware/Slimie

guestolo · « **Reply #3 on:** April 09, 2005, 05:27:18 PM »

I'm not getting back all the info I need, keep me updated

By the looks of it you didn't run DelDomains.inf
How come?

You didn't post back the logs from HSfix.bat
How come???
C:\hslog.txt and C:\hslog1.txt <--these logs

The best we can do for now

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

This file still doesn't look right
Navigate to
C:\WINNT\system32\winsvc.exe
Right click on winsvc.exe and rename it too winsvc.ex_
That should disable it for now

Do another scan with Hijackthis and put a check next to these entries:
Not all may show in safe mode, but fix what you can

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156

All these next ones I ask you to fix with Hijackthis, I also need you to go and delete the files afterwards in safe mode
I'll use the first entry as an example

O4 - HKLM\..\Run: [Tec] C:\WINNT\system32\Kon.exe <--delete this file
O4 - HKLM\..\Run: [Sah] C:\WINNT\Orp.exe
O4 - HKLM\..\Run: [Ffh] C:\WINNT\system32\Tmo.exe
O4 - HKLM\..\Run: [Dmq] C:\WINNT\system32\Auh.exe
O4 - HKLM\..\Run: [Cdq] C:\WINNT\system32\Pge.exe
O4 - HKLM\..\Run: [Bis] C:\WINNT\Akf.exe
O4 - HKLM\..\Run: [Pkb] C:\WINNT\system32\Fhh.exe
O4 - HKLM\..\Run: [Oct] C:\WINNT\system32\Bua.exe
O4 - HKLM\..\Run: [Rju] C:\WINNT\system32\Tpn.exe
O4 - HKLM\..\Run: [Ecg] C:\WINNT\Ads.exe
O4 - HKLM\..\Run: [Veh] C:\WINNT\system32\Uie.exe
O4 - HKLM\..\Run: [Uum] C:\WINNT\system32\Sbo.exe
O4 - HKLM\..\Run: [Pcu] C:\WINNT\Mbp.exe
O4 - HKLM\..\Run: [Unr] C:\WINNT\Maj.exe
O4 - HKLM\..\Run: [Jaf] C:\WINNT\system32\Qah.exe
O4 - HKLM\..\Run: [Ctu] C:\WINNT\Iga.exe
O4 - HKLM\..\Run: [Poq] C:\WINNT\system32\Mri.exe
O4 - HKLM\..\Run: [Akt] C:\WINNT\system32\Hrl.exe
O4 - HKLM\..\Run: [Smo] C:\WINNT\system32\Rjf.exe
O4 - HKLM\..\Run: [Rfj] C:\WINNT\Hqa.exe
O4 - HKLM\..\Run: [Vrv] C:\WINNT\system32\Tdp.exe
O4 - HKLM\..\Run: [Vlr] C:\WINNT\Hvq.exe
O4 - HKLM\..\Run: [Ofi] C:\WINNT\Bjk.exe
O4 - HKLM\..\Run: [Lcu] C:\WINNT\Tlj.exe
O4 - HKLM\..\Run: [Itb] C:\WINNT\system32\Lmd.exe
O4 - HKLM\..\Run: [Ifj] C:\WINNT\system32\Esu.exe
O4 - HKLM\..\Run: [Srk] C:\WINNT\Qsv.exe
O4 - HKLM\..\Run: [Ioa] C:\WINNT\Cpc.exe
O4 - HKLM\..\Run: [Aud] C:\WINNT\Lfc.exe
O4 - HKLM\..\Run: [Kvq] C:\WINNT\system32\Qro.exe
O4 - HKLM\..\Run: [Jqf] C:\WINNT\Oqm.exe
O4 - HKLM\..\Run: [Ldp] C:\WINNT\Mcf.exe
O4 - HKLM\..\Run: [Qcs] C:\WINNT\Brd.exe
O4 - HKLM\..\Run: [Dlg] C:\WINNT\system32\Ihq.exe
O4 - HKLM\..\Run: [Qav] C:\WINNT\system32\Gel.exe
O4 - HKLM\..\Run: [Nmv] C:\WINNT\system32\Ssv.exe
O4 - HKLM\..\Run: [Bkt] C:\WINNT\system32\Bgg.exe
O4 - HKLM\..\Run: [Fjg] C:\WINNT\system32\Mke.exe
O4 - HKLM\..\Run: [Iot] C:\WINNT\Qet.exe
O4 - HKLM\..\Run: [Vtp] C:\WINNT\Hve.exe
O4 - HKLM\..\Run: [Bak] C:\WINNT\Jin.exe
O4 - HKLM\..\Run: [Tsl] C:\WINNT\system32\Bug.exe
O4 - HKLM\..\Run: [Uve] C:\WINNT\Goj.exe
O4 - HKLM\..\Run: [Evk] C:\WINNT\Nci.exe
O4 - HKLM\..\Run: [Egv] C:\WINNT\system32\Beu.exe
O4 - HKLM\..\Run: [Dqo] C:\WINNT\Ppm.exe
O4 - HKLM\..\Run: [Aog] C:\WINNT\Lvv.exe
O4 - HKLM\..\Run: [Dld] C:\WINNT\Gsn.exe
O4 - HKLM\..\Run: [Bik] C:\WINNT\Nfe.exe
O4 - HKLM\..\Run: [Sbr] C:\WINNT\system32\Mlk.exe
O4 - HKLM\..\Run: [Shs] C:\WINNT\system32\Nfv.exe
O4 - HKLM\..\Run: [Jir] C:\WINNT\system32\Vua.exe
O4 - HKLM\..\Run: [Stf] C:\WINNT\system32\Ouh.exe
O4 - HKLM\..\Run: [Psf] C:\WINNT\Lkj.exe
O4 - HKLM\..\Run: [Qtn] C:\WINNT\system32\Tpe.exe
O4 - HKLM\..\Run: [Rtd] C:\WINNT\system32\Mjm.exe
O4 - HKLM\..\Run: [Vkq] C:\WINNT\Qql.exe
O4 - HKLM\..\Run: [Mot] C:\WINNT\Csi.exe
O4 - HKLM\..\Run: [Ccd] C:\WINNT\Gkp.exe
O4 - HKLM\..\Run: [Cub] C:\WINNT\system32\Aqr.exe
O4 - HKLM\..\Run: [Ocg] C:\WINNT\Snv.exe
O4 - HKLM\..\Run: [Ihm] C:\WINNT\system32\Bjd.exe
O4 - HKLM\..\Run: [Lop] C:\WINNT\Eno.exe
O4 - HKLM\..\Run: [Gtv] C:\WINNT\Ado.exe
O4 - HKLM\..\Run: [Ijg] C:\WINNT\Uno.exe
O4 - HKLM\..\Run: [Fpm] C:\WINNT\Kjb.exe
O4 - HKLM\..\Run: [Vab] C:\WINNT\system32\Pgb.exe
O4 - HKLM\..\Run: [Nrp] C:\WINNT\system32\Pbe.exe
O4 - HKLM\..\Run: [Bec] C:\WINNT\Bau.exe
O4 - HKLM\..\Run: [Tpv] C:\WINNT\Scn.exe
O4 - HKLM\..\Run: [Vte] C:\WINNT\Cha.exe
O4 - HKLM\..\Run: [Qvp] C:\WINNT\Mmv.exe
O4 - HKLM\..\Run: [Msj] C:\WINNT\system32\Jcv.exe
O4 - HKLM\..\Run: [Cea] C:\WINNT\Adp.exe
O4 - HKLM\..\Run: [Pog] C:\WINNT\Cbl.exe
O4 - HKLM\..\Run: [Mgc] C:\WINNT\Uoi.exe
O4 - HKLM\..\Run: [Ell] C:\WINNT\system32\Adp.exe
O4 - HKLM\..\Run: [Sgt] C:\WINNT\Nju.exe
O4 - HKLM\..\Run: [Jme] C:\WINNT\Ubf.exe
O4 - HKLM\..\Run: [Gpc] C:\WINNT\Tts.exe
O4 - HKLM\..\Run: [Bgd] C:\WINNT\Inf.exe
O4 - HKLM\..\Run: [Fpq] C:\WINNT\system32\Ppq.exe
O4 - HKLM\..\Run: [Fvb] C:\WINNT\Rfs.exe
O4 - HKLM\..\Run: [Nhd] C:\WINNT\system32\Dan.exe
O4 - HKLM\..\Run: [Jsa] C:\WINNT\Qmt.exe
O4 - HKLM\..\Run: [Ula] C:\WINNT\Lku.exe
O4 - HKLM\..\Run: [Ail] C:\WINNT\Ikr.exe
O4 - HKLM\..\Run: [Tss] C:\WINNT\system32\Ced.exe
O4 - HKLM\..\Run: [Qns] C:\WINNT\Dkc.exe
O4 - HKLM\..\Run: [Etc] C:\WINNT\Lpj.exe
O4 - HKLM\..\Run: [Afe] C:\WINNT\system32\Mcb.exe
O4 - HKLM\..\Run: [Dcp] C:\WINNT\Uiq.exe
O4 - HKLM\..\Run: [Igl] C:\WINNT\Kbs.exe
O4 - HKLM\..\Run: [Tnr] C:\WINNT\system32\Gog.exe
O4 - HKLM\..\Run: [Jgt] C:\WINNT\system32\Bip.exe
O4 - HKLM\..\Run: [Bjf] C:\WINNT\Acf.exe
O4 - HKLM\..\Run: [Jge] C:\WINNT\Jlr.exe
O4 - HKLM\..\Run: [Flg] C:\WINNT\system32\Gor.exe
O4 - HKLM\..\Run: [Tfc] C:\WINNT\system32\Hej.exe
O4 - HKLM\..\Run: [Oiu] C:\WINNT\system32\Opn.exe
O4 - HKLM\..\Run: [Lnp] C:\WINNT\system32\Klo.exe
O4 - HKLM\..\Run: [Qli] C:\WINNT\system32\Qnu.exe
O4 - HKLM\..\Run: [Iov] C:\WINNT\Ele.exe
O4 - HKLM\..\Run: [Qlu] C:\WINNT\Abm.exe
O4 - HKLM\..\Run: [Gak] C:\WINNT\Bot.exe
O4 - HKLM\..\Run: [Edh] C:\WINNT\Hfg.exe
O4 - HKLM\..\Run: [Kjq] C:\WINNT\Sdb.exe
O4 - HKLM\..\Run: [Oan] C:\WINNT\system32\Afs.exe
O4 - HKLM\..\Run: [Srp] C:\WINNT\system32\Fhk.exe
O4 - HKLM\..\Run: [Bdu] C:\WINNT\Plt.exe
O4 - HKLM\..\Run: [Icj] C:\WINNT\system32\Dnn.exe
O4 - HKLM\..\Run: [Hfu] C:\WINNT\system32\Nth.exe
O4 - HKLM\..\Run: [Pmh] C:\WINNT\system32\Pmn.exe
O4 - HKLM\..\Run: [Ugl] C:\WINNT\Gbc.exe
O4 - HKLM\..\Run: [Lgk] C:\WINNT\Lnq.exe
O4 - HKLM\..\Run: [Rud] C:\WINNT\system32\Sfc.exe
O4 - HKLM\..\Run: [Vjd] C:\WINNT\system32\Hsa.exe
O4 - HKLM\..\Run: [Snv] C:\WINNT\system32\Nra.exe
O4 - HKLM\..\Run: [Jsq] C:\WINNT\Gjf.exe
O4 - HKLM\..\Run: [Rru] C:\WINNT\system32\Ads.exe
O4 - HKLM\..\Run: [Cno] C:\WINNT\system32\Mdn.exe
O4 - HKLM\..\Run: [Hcl] C:\WINNT\system32\Abo.exe
O4 - HKLM\..\Run: [Rra] C:\WINNT\system32\Ikm.exe
O4 - HKLM\..\Run: [Ejn] C:\WINNT\system32\Oui.exe
O4 - HKLM\..\Run: [Odo] C:\WINNT\system32\Hgd.exe
O4 - HKLM\..\Run: [Bni] C:\WINNT\system32\Hgf.exe
O4 - HKLM\..\Run: [Ntv] C:\WINNT\system32\Pgn.exe

O4 - HKCU\..\Run: [Tec] C:\WINNT\system32\Kon.exe
O4 - HKCU\..\Run: [Sah] C:\WINNT\Orp.exe
O4 - HKCU\..\Run: [Ffh] C:\WINNT\system32\Tmo.exe
O4 - HKCU\..\Run: [Dmq] C:\WINNT\system32\Auh.exe
O4 - HKCU\..\Run: [Cdq] C:\WINNT\system32\Pge.exe
O4 - HKCU\..\Run: [Bis] C:\WINNT\Akf.exe
O4 - HKCU\..\Run: [Pkb] C:\WINNT\system32\Fhh.exe
O4 - HKCU\..\Run: [Oct] C:\WINNT\system32\Bua.exe
O4 - HKCU\..\Run: [Rju] C:\WINNT\system32\Tpn.exe
O4 - HKCU\..\Run: [Ecg] C:\WINNT\Ads.exe
O4 - HKCU\..\Run: [Veh] C:\WINNT\system32\Uie.exe
O4 - HKCU\..\Run: [Uum] C:\WINNT\system32\Sbo.exe
O4 - HKCU\..\Run: [Pcu] C:\WINNT\Mbp.exe
O4 - HKCU\..\Run: [Unr] C:\WINNT\Maj.exe
O4 - HKCU\..\Run: [Jaf] C:\WINNT\system32\Qah.exe
O4 - HKCU\..\Run: [Ctu] C:\WINNT\Iga.exe
O4 - HKCU\..\Run: [Poq] C:\WINNT\system32\Mri.exe
O4 - HKCU\..\Run: [Akt] C:\WINNT\system32\Hrl.exe
O4 - HKCU\..\Run: [Smo] C:\WINNT\system32\Rjf.exe
O4 - HKCU\..\Run: [Rfj] C:\WINNT\Hqa.exe
O4 - HKCU\..\Run: [Vrv] C:\WINNT\system32\Tdp.exe
O4 - HKCU\..\Run: [Vlr] C:\WINNT\Hvq.exe
O4 - HKCU\..\Run: [Ofi] C:\WINNT\Bjk.exe
O4 - HKCU\..\Run: [Lcu] C:\WINNT\Tlj.exe
O4 - HKCU\..\Run: [Itb] C:\WINNT\system32\Lmd.exe
O4 - HKCU\..\Run: [Ifj] C:\WINNT\system32\Esu.exe
O4 - HKCU\..\Run: [Srk] C:\WINNT\Qsv.exe
O4 - HKCU\..\Run: [Ioa] C:\WINNT\Cpc.exe
O4 - HKCU\..\Run: [Aud] C:\WINNT\Lfc.exe
O4 - HKCU\..\Run: [Kvq] C:\WINNT\system32\Qro.exe
O4 - HKCU\..\Run: [Jqf] C:\WINNT\Oqm.exe
O4 - HKCU\..\Run: [Ldp] C:\WINNT\Mcf.exe
O4 - HKCU\..\Run: [Qcs] C:\WINNT\Brd.exe
O4 - HKCU\..\Run: [Dlg] C:\WINNT\system32\Ihq.exe
O4 - HKCU\..\Run: [Qav] C:\WINNT\system32\Gel.exe
O4 - HKCU\..\Run: [Nmv] C:\WINNT\system32\Ssv.exe
O4 - HKCU\..\Run: [Bkt] C:\WINNT\system32\Bgg.exe
O4 - HKCU\..\Run: [Fjg] C:\WINNT\system32\Mke.exe
O4 - HKCU\..\Run: [Iot] C:\WINNT\Qet.exe
O4 - HKCU\..\Run: [Vtp] C:\WINNT\Hve.exe
O4 - HKCU\..\Run: [Bak] C:\WINNT\Jin.exe
O4 - HKCU\..\Run: [Tsl] C:\WINNT\system32\Bug.exe
O4 - HKCU\..\Run: [Uve] C:\WINNT\Goj.exe
O4 - HKCU\..\Run: [Evk] C:\WINNT\Nci.exe
O4 - HKCU\..\Run: [Egv] C:\WINNT\system32\Beu.exe
O4 - HKCU\..\Run: [Dqo] C:\WINNT\Ppm.exe
O4 - HKCU\..\Run: [Aog] C:\WINNT\Lvv.exe
O4 - HKCU\..\Run: [Dld] C:\WINNT\Gsn.exe
O4 - HKCU\..\Run: [Bik] C:\WINNT\Nfe.exe
O4 - HKCU\..\Run: [Sbr] C:\WINNT\system32\Mlk.exe
O4 - HKCU\..\Run: [Shs] C:\WINNT\system32\Nfv.exe
O4 - HKCU\..\Run: [Jir] C:\WINNT\system32\Vua.exe
O4 - HKCU\..\Run: [Stf] C:\WINNT\system32\Ouh.exe
O4 - HKCU\..\Run: [Psf] C:\WINNT\Lkj.exe
O4 - HKCU\..\Run: [Qtn] C:\WINNT\system32\Tpe.exe
O4 - HKCU\..\Run: [Rtd] C:\WINNT\system32\Mjm.exe
O4 - HKCU\..\Run: [Vkq] C:\WINNT\Qql.exe
O4 - HKCU\..\Run: [Mot] C:\WINNT\Csi.exe
O4 - HKCU\..\Run: [Ccd] C:\WINNT\Gkp.exe
O4 - HKCU\..\Run: [Cub] C:\WINNT\system32\Aqr.exe
O4 - HKCU\..\Run: [Ocg] C:\WINNT\Snv.exe
O4 - HKCU\..\Run: [Ihm] C:\WINNT\system32\Bjd.exe
O4 - HKCU\..\Run: [Lop] C:\WINNT\Eno.exe
O4 - HKCU\..\Run: [Gtv] C:\WINNT\Ado.exe
O4 - HKCU\..\Run: [Ijg] C:\WINNT\Uno.exe
O4 - HKCU\..\Run: [Fpm] C:\WINNT\Kjb.exe
O4 - HKCU\..\Run: [Vab] C:\WINNT\system32\Pgb.exe
O4 - HKCU\..\Run: [Nrp] C:\WINNT\system32\Pbe.exe
O4 - HKCU\..\Run: [Bec] C:\WINNT\Bau.exe
O4 - HKCU\..\Run: [Tpv] C:\WINNT\Scn.exe
O4 - HKCU\..\Run: [Vte] C:\WINNT\Cha.exe
O4 - HKCU\..\Run: [Qvp] C:\WINNT\Mmv.exe
O4 - HKCU\..\Run: [Msj] C:\WINNT\system32\Jcv.exe
O4 - HKCU\..\Run: [Cea] C:\WINNT\Adp.exe
O4 - HKCU\..\Run: [Pog] C:\WINNT\Cbl.exe
O4 - HKCU\..\Run: [Mgc] C:\WINNT\Uoi.exe
O4 - HKCU\..\Run: [Ell] C:\WINNT\system32\Adp.exe
O4 - HKCU\..\Run: [Sgt] C:\WINNT\Nju.exe
O4 - HKCU\..\Run: [Jme] C:\WINNT\Ubf.exe
O4 - HKCU\..\Run: [Gpc] C:\WINNT\Tts.exe
O4 - HKCU\..\Run: [Bgd] C:\WINNT\Inf.exe
O4 - HKCU\..\Run: [Fpq] C:\WINNT\system32\Ppq.exe
O4 - HKCU\..\Run: [Fvb] C:\WINNT\Rfs.exe
O4 - HKCU\..\Run: [Nhd] C:\WINNT\system32\Dan.exe
O4 - HKCU\..\Run: [Jsa] C:\WINNT\Qmt.exe
O4 - HKCU\..\Run: [Ula] C:\WINNT\Lku.exe
O4 - HKCU\..\Run: [Ail] C:\WINNT\Ikr.exe
O4 - HKCU\..\Run: [Tss] C:\WINNT\system32\Ced.exe
O4 - HKCU\..\Run: [Qns] C:\WINNT\Dkc.exe
O4 - HKCU\..\Run: [Etc] C:\WINNT\Lpj.exe
O4 - HKCU\..\Run: [Afe] C:\WINNT\system32\Mcb.exe
O4 - HKCU\..\Run: [Dcp] C:\WINNT\Uiq.exe
O4 - HKCU\..\Run: [Igl] C:\WINNT\Kbs.exe
O4 - HKCU\..\Run: [Tnr] C:\WINNT\system32\Gog.exe
O4 - HKCU\..\Run: [Jgt] C:\WINNT\system32\Bip.exe
O4 - HKCU\..\Run: [Bjf] C:\WINNT\Acf.exe
O4 - HKCU\..\Run: [Jge] C:\WINNT\Jlr.exe
O4 - HKCU\..\Run: [Flg] C:\WINNT\system32\Gor.exe
O4 - HKCU\..\Run: [Tfc] C:\WINNT\system32\Hej.exe
O4 - HKCU\..\Run: [Oiu] C:\WINNT\system32\Opn.exe
O4 - HKCU\..\Run: [Lnp] C:\WINNT\system32\Klo.exe
O4 - HKCU\..\Run: [Qli] C:\WINNT\system32\Qnu.exe
O4 - HKCU\..\Run: [Iov] C:\WINNT\Ele.exe
O4 - HKCU\..\Run: [Qlu] C:\WINNT\Abm.exe
O4 - HKCU\..\Run: [Gak] C:\WINNT\Bot.exe
O4 - HKCU\..\Run: [Edh] C:\WINNT\Hfg.exe
O4 - HKCU\..\Run: [Kjq] C:\WINNT\Sdb.exe
O4 - HKCU\..\Run: [Oan] C:\WINNT\system32\Afs.exe
O4 - HKCU\..\Run: [Srp] C:\WINNT\system32\Fhk.exe
O4 - HKCU\..\Run: [Bdu] C:\WINNT\Plt.exe
O4 - HKCU\..\Run: [Icj] C:\WINNT\system32\Dnn.exe
O4 - HKCU\..\Run: [Hfu] C:\WINNT\system32\Nth.exe
O4 - HKCU\..\Run: [Pmh] C:\WINNT\system32\Pmn.exe
O4 - HKCU\..\Run: [Ugl] C:\WINNT\Gbc.exe
O4 - HKCU\..\Run: [Lgk] C:\WINNT\Lnq.exe
O4 - HKCU\..\Run: [Rud] C:\WINNT\system32\Sfc.exe
O4 - HKCU\..\Run: [Vjd] C:\WINNT\system32\Hsa.exe
O4 - HKCU\..\Run: [Snv] C:\WINNT\system32\Nra.exe
O4 - HKCU\..\Run: [Jsq] C:\WINNT\Gjf.exe
O4 - HKCU\..\Run: [Rru] C:\WINNT\system32\Ads.exe
O4 - HKCU\..\Run: [Cno] C:\WINNT\system32\Mdn.exe
O4 - HKCU\..\Run: [Hcl] C:\WINNT\system32\Abo.exe
O4 - HKCU\..\Run: [Rra] C:\WINNT\system32\Ikm.exe
O4 - HKCU\..\Run: [Ejn] C:\WINNT\system32\Oui.exe
O4 - HKCU\..\Run: [Odo] C:\WINNT\system32\Hgd.exe
O4 - HKCU\..\Run: [Bni] C:\WINNT\system32\Hgf.exe
O4 - HKCU\..\Run: [Ntv] C:\WINNT\system32\Pgn.exe
O4 - Startup: PowerReg Scheduler.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RIGHT CLICK on DelDomains.inf and choose INSTALL

Run Windows CleanUp! again

Restart back to Normal mode

Post back a fresh Hijackthis log from just a scan in Normal mode

Let me know if you can use you right click on the mouse, or is it disabled
Is the Display properties in the control panel locked?
Do you have Double icons on the desktop?

Please also post the logs from HSFix.bat

shermansen · « **Reply #4 on:** April 10, 2005, 10:05:44 AM »

Thanks.

I was going to comment that the RMB is disabled. I thought the DelDomains.inf installed - from the toolbar, so I thought I had a workaround.

Display properties are locked and the double icons came up inbetween our posts here.

I'll grab the missing logs and post them after church this morning. I was posting things into the reply while getting heckled - sorry I missed them.

Thanks!

Scotti Hermansen

TheTechGuide Forum

News:

Author Topic: HTS log - smart security (Read 1534 times)

shermansen

HTS log - smart security

guestolo

HTS log - smart security

shermansen

HTS log - smart security

guestolo

HTS log - smart security

shermansen

HTS log - smart security