Author Topic: Dao Search is like herpes (Read 5741 times)

guestolo · « **Reply #20 on:** April 17, 2005, 01:04:03 PM »

Copy and paste these instructions to a Notepad file then close all browser windows
Disconnect from the Net

I guess you forgot about a fresh Hijackthis log

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

Let's try the following

Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\system32\cmdteld.exe

Click the Delete File button after each
The Red circle and a white X
Keep track of any file that won't delete, we'll need those in a bit

Do the same for these paths to the file names

C:\WINDOWS\system32\dqaateqe.exe
C:\WINDOWS\system32\dqhrijko.exe
C:\WINDOWS\system32\gshtqjiq.exe
C:\WINDOWS\system32\gslnbaaa.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system32\jhjoaaaa.exe
C:\WINDOWS\system32\sgevcaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\jndaaaaa.exe

C:\WINDOWS\bfyania.exe
C:\WINDOWS\brgxteo.exe
C:\WINDOWS\cfvnpbm.exe
C:\WINDOWS\evumfmx.exe
C:\WINDOWS\gehbouq.exe
C:\WINDOWS\gvvndux.exe
C:\WINDOWS\hglwjlm.exe
C:\WINDOWS\kadxqet.exe
C:\WINDOWS\mbfrbem.exe

C:\WINDOWS\mqgtbiv.exe
C:\WINDOWS\nfxouiy.exe
C:\WINDOWS\nmboswh.exe
C:\WINDOWS\ntasjoi.exe
C:\WINDOWS\ocqwhuv.exe
C:\WINDOWS\oyglvea.exe
C:\WINDOWS\pcvdkdb.exe
C:\WINDOWS\powkaix.exe
C:\WINDOWS\qaqbnkw.exe
C:\WINDOWS\rggrhqo.exe

C:\WINDOWS\rqtymkh.exe
C:\WINDOWS\sgstvvq.exe
C:\WINDOWS\swhhnjo.exe
C:\WINDOWS\swjspmr.exe
C:\WINDOWS\swlinrb.exe
C:\WINDOWS\sys1210.exe
C:\WINDOWS\sys1214.exe
C:\WINDOWS\sys1217.exe
C:\WINDOWS\sys1222.exe
C:\WINDOWS\sys1225.exe
C:\WINDOWS\sys1227.exe

C:\WINDOWS\sys153.exe
C:\WINDOWS\sys156.exe
C:\WINDOWS\sys159.exe
C:\WINDOWS\sys281.exe
C:\WINDOWS\sys284.exe
C:\WINDOWS\sys287.exe
C:\WINDOWS\sys3059.exe
C:\WINDOWS\sys312.exe
C:\WINDOWS\sys316.exe

C:\WINDOWS\sys3419.exe
C:\WINDOWS\sys3422.exe
C:\WINDOWS\sys3425.exe
C:\WINDOWS\sys4142.exe
C:\WINDOWS\sys4147.exe
C:\WINDOWS\sys4434.exe
C:\WINDOWS\sys4440.exe
C:\WINDOWS\sys4443.exe
C:\WINDOWS\sys4655.exe

C:\WINDOWS\sys4658.exe
C:\WINDOWS\sys471.exe
C:\WINDOWS\sys5832.exe
C:\WINDOWS\sys5835.exe
C:\WINDOWS\sys5838.exe
C:\WINDOWS\sys953.exe
C:\WINDOWS\sys956.exe

C:\WINDOWS\sys958.exe
C:\WINDOWS\uccbsyq.exe
C:\WINDOWS\vobpcfq.exe
C:\WINDOWS\vqbhwyy.exe
C:\WINDOWS\wxsvgwm.exe
C:\WINDOWS\xjrcqlr.exe
C:\WINDOWS\xsrwadi.exe
C:\WINDOWS\ywtovhs.exe

For any file that won't delete
Copy and paste that entry back into Killbox
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
When you've entered the last path to the file name
Allow the computer to Reboot, or restart anyways

Back in windows

Post back a fresh Hijackthis log
Could you also run rkfiles.bat again and post a fresh log

TSD151 · « **Reply #21 on:** April 17, 2005, 01:59:17 PM »

Things seem to be getting better, no more win min end program thing when I shut down. I was able to kill every file in kill box. Here are my last logs from Hijack and RK:

Logfile of HijackThis v1.99.1
Scan saved at 11:38:36 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yrpjbni] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfktcny] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [htakfvy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kpgisut] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svutihq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [snkjcdy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wnpdpwr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [myoibdt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mqrnnsv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kxglhda] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hrbqsbu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oqjtwpf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqnbcmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [leopyqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jjkjdep] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sojovjy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prdqrcm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dubignt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [danxaom] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wcrpdhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sjekwlt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmcpqh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kfdhrug] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nmjogou] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qmdcuhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mecbqmr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [muvnlvj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nnixohg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qlrcumg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rwoftjd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wqswesy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qtrwdod] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [atxkdqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yakgwet] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wsaqysf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gxtjify] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uigqrol] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [toamymy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jurbybk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fqptoct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kevtskf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cdwtyip] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvmjxfd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fmufxoy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hmvelmf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lcwnjia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cjdpwgo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vswdvys] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkjotms] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hdhptgj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ywlrbon] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [apmkyyc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ghtyywg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xrcfuov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bkrfeau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svnknbb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wfwpint] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjdwrrt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dxpmole] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sbjphab] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eigwyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [giilwov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrplogs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icxvffv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hicfjam] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvuwxyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [csengqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wscaygv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qarbfyv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oseiwcu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vjssffj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qvsfvhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [knnwxfw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [annyjvn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vlblehr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lywngjl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxmblpx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjxbvlg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fcklsja] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fryynds] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xnyswbv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xahrprf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [curuyrr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufcpoyw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tnevgph] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [douykld] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oeqvfmi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uoyfnrk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [refcchy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [krasyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ebcbqoe] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xgmlosi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkitghs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hhwpync] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mhybepf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wplqkvu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tgdulnt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qshxkao] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dwumttm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cedudia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdroaww] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gkyqpkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [drnbpyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggipvnl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsaryo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rctgqsb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [upahhmj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cgmfike] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kgxjbgg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uktuepl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jebtxej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ceafsrw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ixyhnrm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pjrubvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qymqodu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dahqjqf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rjwrvcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [trtbdwx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tysabyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eicyghu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yfbpsnn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ldgutgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufonnkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjpwuvp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocnksvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgjlrtq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pynmimu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rxpgqhy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jhdiwbl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eomqoid] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggdulhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sktggrv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jbtvetu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wbqetcc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjvumct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gmuanqd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [namfoqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sqgwabm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [miqgdyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ymptpwp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lvrrlui] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqppaii] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icsjwib] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wtksnlh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [viljjji] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xedegvw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vheotau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ugcbxhn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mdlbusw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xlegqly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hltpdcw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ethrpqi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tclhtea] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qppigqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [imjhbdh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [roqkmpj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jqhinbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dqwquwh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vhcsjow] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [btusyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bgbygpc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rgcgpad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pvlwdim] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prxtuqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ealltbr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ncgrdqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vymwhey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aiohvlm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [otuqfem] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfpcqvc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cqernyr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yxbqnfj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cxiqqth] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [onpfbgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tliewmk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgnpufx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lojbyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgfclrg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xwyxjop] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pbihpej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdkohar] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qjcgtqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vcllros] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bpyjppy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmgwcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pyrnqoq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vxstbxf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wblobhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [niegrjp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dvpaalu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xukornv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [humyfsa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tyytfck] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rsqasbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ksadoev] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocmwgmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oigbwer] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iyawjqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rbffgwb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjaotsl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [moskdma] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gqodvec] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrxaipd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wstkpqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vvjwunh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [olwhcuh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ltoahkv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgutotv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cltmwoc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vprsuly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bvddexc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lqxxxoh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qqgwiir] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aurucba] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [elpldad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gnmyfwt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qrcpohm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgdrebw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qpxgjyx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxauago] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsriey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wishaxy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [obgwnbd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uracljx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ogvvgla] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uywdeor] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xydvrwj] c:\windows\mbfrbem.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\sys4145.exe: UPX!
Finished
bye

guestolo · « **Reply #22 on:** April 17, 2005, 02:05:32 PM »

Let's try this again

Save these instructions too a Notepad file and then disconnect from the Net

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKCU\..\Run: [cfvsxyq] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [vpyphce] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [pibibym] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xvdsglg] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ihdkupl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [ldaeqtv] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [dwhrfsx] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [qxlktlx] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [vcaasfn] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [bhjpmho] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [ckivrgl] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [yiscgnn] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [wgssvxc] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [mukoahh] c:\windows\ktvxskx.exe
O4 - HKCU\..\Run: [plcqosy] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [dvcftky] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [xxmqpti] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [oehdxfv] c:\windows\xaicctk.exe
O4 - HKCU\..\Run: [hxvfhqj] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [tflindc] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [sebfwiq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [jpnttlr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [luxcfaw] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xfpuvtv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lblvvlv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mqjjwoh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [lmwnugq] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [goirkqd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [gsohtyv] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [xwcgtrh] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mejlbse] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [yrijkfd] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [fhrjxds] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [djhtktr] c:\windows\bfyania.exe
O4 - HKCU\..\Run: [mokdxje] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svfrvyr] c:\windows\gehbouq.exe
O4 - HKCU\..\Run: [xollrjm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mvguecn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yrpjbni] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfktcny] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [htakfvy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kpgisut] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svutihq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [snkjcdy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wnpdpwr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [myoibdt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mqrnnsv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kxglhda] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hrbqsbu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oqjtwpf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqnbcmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [leopyqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jjkjdep] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sojovjy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prdqrcm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dubignt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [danxaom] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wcrpdhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sjekwlt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmcpqh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kfdhrug] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nmjogou] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qmdcuhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mecbqmr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [muvnlvj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [nnixohg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qlrcumg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rwoftjd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wqswesy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qtrwdod] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [atxkdqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yakgwet] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wsaqysf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gxtjify] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uigqrol] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [toamymy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jurbybk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fqptoct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kevtskf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cdwtyip] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvmjxfd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fmufxoy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hmvelmf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lcwnjia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cjdpwgo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vswdvys] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkjotms] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hdhptgj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ywlrbon] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [apmkyyc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ghtyywg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xrcfuov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bkrfeau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [svnknbb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wfwpint] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjdwrrt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dxpmole] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sbjphab] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eigwyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [giilwov] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrplogs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icxvffv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hicfjam] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kvuwxyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [csengqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wscaygv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qarbfyv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oseiwcu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vjssffj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qvsfvhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [knnwxfw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [annyjvn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vlblehr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lywngjl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxmblpx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjxbvlg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fcklsja] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [fryynds] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xnyswbv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xahrprf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [curuyrr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufcpoyw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tnevgph] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [douykld] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oeqvfmi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uoyfnrk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [refcchy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [krasyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ebcbqoe] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xgmlosi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rkitghs] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hhwpync] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mhybepf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wplqkvu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tgdulnt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qshxkao] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dwumttm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cedudia] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdroaww] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gkyqpkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [drnbpyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggipvnl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsaryo] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rctgqsb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [upahhmj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cgmfike] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [kgxjbgg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uktuepl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jebtxej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ceafsrw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ixyhnrm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pjrubvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qymqodu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dahqjqf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rjwrvcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [trtbdwx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tysabyf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eicyghu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yfbpsnn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ldgutgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ufonnkg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yjpwuvp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocnksvq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgjlrtq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pynmimu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rxpgqhy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jhdiwbl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [eomqoid] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ggdulhi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sktggrv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jbtvetu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wbqetcc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjvumct] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gmuanqd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [namfoqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sqgwabm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [miqgdyb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ymptpwp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lvrrlui] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iqppaii] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [icsjwib] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wtksnlh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [viljjji] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xedegvw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vheotau] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ugcbxhn] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mdlbusw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xlegqly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [hltpdcw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ethrpqi] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tclhtea] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qppigqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [imjhbdh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [roqkmpj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [jqhinbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dqwquwh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vhcsjow] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [btusyhj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bgbygpc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rgcgpad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pvlwdim] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [prxtuqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ealltbr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ncgrdqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vymwhey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aiohvlm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [otuqfem] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [sfpcqvc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cqernyr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [yxbqnfj] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cxiqqth] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [onpfbgr] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tliewmk] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgnpufx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lojbyay] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgfclrg] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xwyxjop] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pbihpej] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qdkohar] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qjcgtqc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vcllros] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bpyjppy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aqmgwcd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [pyrnqoq] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vxstbxf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wblobhf] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [niegrjp] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [dvpaalu] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xukornv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [humyfsa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [tyytfck] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rsqasbw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ksadoev] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ocmwgmy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [oigbwer] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [iyawjqa] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [rbffgwb] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wjaotsl] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [moskdma] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gqodvec] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vrxaipd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wstkpqw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vvjwunh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [olwhcuh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ltoahkv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mgutotv] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [cltmwoc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [vprsuly] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [bvddexc] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [lqxxxoh] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qqgwiir] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [aurucba] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [elpldad] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [gnmyfwt] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qrcpohm] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wgdrebw] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [qpxgjyx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mxauago] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [mnsriey] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [wishaxy] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [obgwnbd] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uracljx] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [ogvvgla] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [uywdeor] c:\windows\mbfrbem.exe
O4 - HKCU\..\Run: [xydvrwj] c:\windows\mbfrbem.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\sys4145.exe

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Then allow the computer to Reboot

Back in Windows
Supply a fresh Hijackthis log and one more log from Rkfiles.bat

TSD151 · « **Reply #23 on:** April 17, 2005, 03:06:39 PM »

Here are the latest RK and Hijack logs:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 1:05:07 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #24 on:** April 17, 2005, 03:16:23 PM »

Do you still have the desktop background problems?

Can you look for this file and delete it if found, let me know if you can find it
C:\wp.bmp <-file

Could you also download and UNZIP to a folder
Find.zip
So you now have Find.bat in the same folder
[attachment=152:attachment]

Double click on Find.bat and copy and paste back the contents

TSD151 · « **Reply #25 on:** April 17, 2005, 03:27:46 PM »

I was able to find and delete c:\wp.bmp, it is gone. Here is the log from Find.bat:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001

guestolo · « **Reply #26 on:** April 17, 2005, 04:17:35 PM »

Can you do the following please

Because all users are set up different
We can probably remove the whole System key, but
Can you try the following

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

Double click on fix.reg and allow to merge to the registry

Restart your computer

Let me know if you can now do the following
1. Open the Control Panel.

2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked

Can you also let me know if you can now download Ad-Aware SE
See if you can download it from here
http://www.tucows.com/preview/236049.html

Could you also open Hijackthis>>Open Misc tools section>>Open Host file manager
Click the "Open in Notepad"
Copy and paste back the whole text file that opens

TSD151 · « **Reply #27 on:** April 18, 2005, 05:21:16 AM »

I was able to download adaware finally. I also was able to get to the desktop tab in display properties however, I was unable to locate the Web Tab under Customize Desktop. Here is the log from Adaware:

Ad-Aware SE Build 1.05
Logfile Created on:Monday, April 18, 2005 3:04:33 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R39 15.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):11 total references
AltnetBDE(TAC index:4):47 total references
Malware.TopAntiSpyware(TAC index:7):20 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Security iGuard(TAC index:9):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

4/18/2005 3:04:33 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 416
ThreadCreationTime : 4/18/2005 9:56:23 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 4/18/2005 9:56:26 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1024
ThreadCreationTime : 4/18/2005 9:56:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1180
ThreadCreationTime : 4/18/2005 9:56:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1212
ThreadCreationTime : 4/18/2005 9:56:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1352
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:11 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1364
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:12 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1392
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1632
ThreadCreationTime : 4/18/2005 9:56:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 308
ThreadCreationTime : 4/18/2005 9:57:19 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [hpztsb05.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 560
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2,126,0,0
ProductVersion : 2,126,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:16 [hphmon04.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 568
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 4,0,34
ProductVersion : 4,0,34
ProductName : hp photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
LegalCopyright : Copyright © 2001
OriginalFilename : HPHmon04.exe

#:17 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 584
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2,3,0,0\ 161
ProductVersion : 2,3,0,0\ 161
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:18 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 620
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:19 [motivesb.exe]
FilePath : C:\PROGRA~1\SBCSEL~1\SMARTB~1\
ProcessID : 652
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive Communications, Inc.
FileDescription : SBC Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2003
OriginalFilename : version

#:20 [deletesatellite.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 952
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : GhostSurf satellite deletion tool
InternalName : DeleteSatellite
LegalCopyright : Copyright © 2004 Tenebril Inc.
OriginalFilename : DeleteSatellite.exe
Comments : This tool deletes files the user wishes to delete when they become unprotected at restart

#:21 [opware32.exe]
FilePath : C:\Program Files\ScanSoft\OmniPageSE\
ProcessID : 1000
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 11.0
ProductVersion : 11.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc
FileDescription : OCR Aware (32-bit)
InternalName : Opware32.exe
LegalCopyright : Copyright © 1995-2000 ScanSoft, Inc
OriginalFilename : Opware32.exe

#:22 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1044
ThreadCreationTime : 4/18/2005 9:57:20 AM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:23 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 1076
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:24 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1124
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:25 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1220
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 4.7.0041
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:26 [proxy.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 796
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 0.10
ProductVersion : 3.00
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : GhostSurf proxy
InternalName : VehicleApp
LegalCopyright : Copyright © 2001 - 2004 Tenebril Inc
OriginalFilename : VehicleApp.exe
Comments : GhostSurf proxy

#:27 [scheduler daemon.exe]
FilePath : C:\Program Files\GhostSurf 2005\
ProcessID : 1316
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 0.10
ProductVersion : 3.00
ProductName : GhostSurf
CompanyName : Tenebril Incorporated
FileDescription : Scheduler daemon
InternalName : VehicleApp
LegalCopyright : Copyright © 2001 - 2004 Tenebril Inc
OriginalFilename : VehicleApp.exe
Comments : Scheduler daemon

#:28 [hpgs2wnf.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 1464
ThreadCreationTime : 4/18/2005 9:57:21 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 161
ProductVersion : 2, 6, 0, 161
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:29 [mpbtn.exe]
FilePath : C:\Program Files\SBC Self Support Tool\bin\
ProcessID : 1616
ThreadCreationTime : 4/18/2005 9:57:22 AM
BasePriority : Normal

#:30 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\
ProcessID : 1144
ThreadCreationTime : 4/18/2005 9:57:23 AM
BasePriority : Normal

#:31 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2812
ThreadCreationTime : 4/18/2005 9:57:38 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:32 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2848
ThreadCreationTime : 4/18/2005 9:57:38 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:33 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3064
ThreadCreationTime : 4/18/2005 9:57:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:34 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 3084
ThreadCreationTime : 4/18/2005 9:57:41 AM
BasePriority : Normal
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:35 [hphipm11.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3412
ThreadCreationTime : 4/18/2005 9:57:52 AM
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:36 [ybrowser.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 2408
ThreadCreationTime : 4/18/2005 9:58:47 AM
BasePriority : Normal
FileVersion : 2002, 9, 13, 2
ProductVersion : 1, 0, 5, 1
ProductName : Yahoo! Browser
CompanyName : Yahoo!, Inc.
FileDescription : Yahoo! Browser
InternalName : YBrowser
LegalCopyright : Copyright © 2002 Yahoo! Inc.
OriginalFilename : YBrowser.EXE

#:37 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3808
ThreadCreationTime : 4/18/2005 10:04:23 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:38 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 3020
ThreadCreationTime : 4/18/2005 10:04:23 AM
BasePriority : Normal
FileVersion : 5.2.3644.0
ProductVersion : 5.2.3644.0
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.4
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{8b0fef15-54dc-49f5-8377-8172de975f75}

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{8b0fef15-54dc-49f5-8377-8172de975f75}
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm.adm
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\typelib\{5830698f-7fc0-40cd-a453-9a0cafdf3a64}

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe
Value : AppID

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe
Value : AppID

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm
Value : DisplayName

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\altnetdm
Value : UnInstallString

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-861567501-746137067-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 27
Objects found so far: 27

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : srpcsrv32.dll
Category : Malware
Comment :
Object : C:\!Submit\

AltnetBDE Object Recognized!
Type : File
Data : ppq2F.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Uninstaller
CompanyName : Altnet, Inc.
FileDescription : Uninstaller
InternalName : AltnetUninstall.exe
LegalCopyright : Copyright © 2003,2004
OriginalFilename : AltnetUninstall.exe

AltnetBDE Object Recognized!
Type : File
Data : ppq30.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE

AltnetBDE Object Recognized!
Type : File
Data : ppq31.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 0
ProductName : BDE asmend
CompanyName : BDE
FileDescription : asmend
InternalName : KillASM
LegalCopyright : Copyright © 2003
OriginalFilename : asmend

AltnetBDE Object Recognized!
Type : File
Data : ppq32.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL

AltnetBDE Object Recognized!
Type : File
Data : ppq33.tmp
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003

AltnetBDE Object Recognized!
Type : File
Data : adm4005.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe

AltnetBDE Object Recognized!
Type : File
Data : asm.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE

AltnetBDE Object Recognized!
Type : File
Data : asmps.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL

AltnetBDE Object Recognized!
Type : File
Data : dminstall7.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp\

AltnetBDE Object Recognized!
Type : File
Data : Points Manager.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003

AltnetBDE Object Recognized!
Type : File
Data : settings.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\

AltnetBDE Object Recognized!
Type : File
Data : setup.cab
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\

AltnetBDE Object Recognized!
Type : File
Data : sysdetect.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp\
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Brilliant bdedetect
CompanyName : Brilliant
FileDescription : bdedetect
InternalName : bdedetect
LegalCopyright : Copyright © 2000
OriginalFilename : bdedetect.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003833.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 2, 4, 3
ProductVersion : 1, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright 2002
OriginalFilename : ADM25.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003834.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 6
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADM4.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003835.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 1, 10
ProductVersion : 1, 0, 0, 0
ProductName : ADMData
CompanyName : Altnet
FileDescription : ADMData
InternalName : ADMData
LegalCopyright : Copyright 1999
OriginalFilename : ADMData.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003836.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 3, 0, 39, 2
ProductVersion : 3, 0, 0, 0
ProductName : ADMDloader
CompanyName : Altnet
FileDescription : BDEDownloader
InternalName : ADMDloader
LegalCopyright : Copyright © 2001 Altnet
OriginalFilename : ADMDloader.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003837.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 0
ProductName : ADMFdi
CompanyName : Altnet
FileDescription : ADMFdi
InternalName : ADMFdi
LegalCopyright : Copyright © 2000
OriginalFilename : ADMFdi

AltnetBDE Object Recognized!
Type : File
Data : A0003838.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 4
ProductVersion : 4, 0, 0, 0
ProductName : ADMProg
CompanyName : Altnet
InternalName : ADMProg
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADMProg.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003839.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Uninstaller
CompanyName : Altnet, Inc.
FileDescription : Uninstaller
InternalName : AltnetUninstall.exe
LegalCopyright : Copyright © 2003,2004
OriginalFilename : AltnetUninstall.exe

AltnetBDE Object Recognized!
Type : File
Data : A0003840.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 0
ProductName : BDE asmend
CompanyName : BDE
FileDescription : asmend
InternalName : KillASM
LegalCopyright : Copyright © 2003
OriginalFilename : asmend

AltnetBDE Object Recognized!
Type : File
Data : A0003841.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe

AltnetBDE Object Recognized!
Type : File
Data : A0003843.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP34\
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Brilliant bdedetect
CompanyName : Brilliant
FileDescription : bdedetect
InternalName : bdedetect
LegalCopyright : Copyright © 2000
OriginalFilename : bdedetect.dll

AltnetBDE Object Recognized!
Type : File
Data : A0003875.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE

AltnetBDE Object Recognized!
Type : File
Data : A0003876.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL

AltnetBDE Object Recognized!
Type : File
Data : A0003877.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP36\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. © 2002,2003

Security iGuard Object Recognized!
Type : File
Data : A0008441.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP63\
FileVersion : 1,0,0,53
ProductVersion : 1,0,0,53
ProductName : Security iGuard Application
CompanyName : Rex-Services
FileDescription : Security iGuard
InternalName : Security iGuard
LegalCopyright : Copyright © 2004 Rex-Services All rights reserved
OriginalFilename : Security iGuard.exe

Security iGuard Object Recognized!
Type : File
Data : A0008443.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP63\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013662.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP69\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013684.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013686.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013687.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013689.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013690.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013692.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013693.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013695.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013696.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013698.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013699.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013701.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013702.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013704.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013705.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0013707.DLL
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP70\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0016843.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP72\

Malware.TopAntiSpyware Object Recognized!
Type : File
Data : A0020924.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{623D0000-F5CC-4257-8829-7086BE41C4CF}\RP74\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 75

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 75

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : GetThis4Free (Adult only).url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/
Object : C:\Documents and Settings\T & A\Favorites\

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : GET THIS 4 FREE.url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/
Object : C:\Documents and Settings\T & A\Favorites\

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\signingmodule.signingmodule
Value :

AltnetBDE Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\DOCUME~1\T&A~1\LOCALS~1\Temp\ADMCache

Security iGuard Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Documents and Settings\T & A\Application Data\Rex-Services

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 83

3:11:01 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:27.812
Objects scanned:114046
Objects identified:83
Objects ignored:0
New critical objects:83

Here is the stuff you wanted from Hijack, misc tools:

127.0.0.1 localhost

Not sure if you wanted another Hijack log, but here it is in case you do need it:
Logfile of HijackThis v1.99.1
Scan saved at 3:19:34 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

guestolo · « **Reply #28 on:** April 18, 2005, 09:07:51 AM »

Just on my way to work
This value in the registry I believe controls the web content
"NoActiveDesktopChanges"=dword:00000001
Allowing or disallowing web content to be used for background

We can deal with it later

Thanks for the log from Ad-Aware, it appears that you may of just ran the scan before posting back

Can I get you too restart your computer and post just a fresh Hijackthis log,
Just a double check to ensure your log is still clean

TSD151 · « **Reply #29 on:** April 18, 2005, 12:26:12 PM »

Thanks for the reply, here is my latest Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:48 AM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TSD151 · « **Reply #30 on:** April 18, 2005, 05:06:32 PM »

Questolo,

I am experiencing some new things...I get these grey windows messenger windows from time to time that say something like "your system is infected...blah blah blah, click here to download the latest patch.

Also, if I leave my computer on for any length of time, when I return I have about 30 - 40 open dial-up connection windows sitting on my desktop. I'm not sure if any of this is related to the problem you've been helping me with, but it is a pain in the you know what.

I ran spybot just to see what it would produce and it found www.coolwebsearch... I hit fix and rebooted???

guestolo · « **Reply #31 on:** April 18, 2005, 10:56:18 PM »

Can you do the following please
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Do the same for Alerter

Next:
Download and UNZIP to desktop
fixit.bat
So you now have fixit.reg on your deskop
[attachment=153:attachment]

From my signature below, download and save to desktop CWShredder.exe

With all other windows closed
Double click on fixit.reg and allow to merge to the registry

Next: Open CWShredder and click the FIX button, let it fix whatever it finds

Restart your computer

Back in Windows

Could you
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

After posting back the Mwav scan could you also post a fresh Hijackthis log
Also let me know if you can now select the Web tab

TSD151 · « **Reply #32 on:** April 19, 2005, 11:04:53 AM »

I disabled messenger and alerter. I merged Fixit.reg and then ran CWshredder. CW found nothing. I restarted and attempted to download Mwav.exe from the provided link, but this is what appeared:

220-
220-Welcome to microworldsystems.com!
220-
220 microworldsystems.com FTP server (Version wu-2.6.2(11) Fri Nov 30 21:07:48 PST 2001) ready.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.

I am able to see the web tab in display properties, however, there is nothing listed there.

Here is my latest Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:46 AM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57619B1C-3724-4FDC-AC3A-58CCA81A0114}: NameServer = 206.13.30.12 64.164.99.51
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #33 on:** April 19, 2005, 11:24:39 PM »

Can you try this link for eScan's mwav scan and try and alternate free download link
http://www.mwti.net/antivirus/mwav.asp

Also, just for a check, can you do the following I asked previously

Quote

Could you also open Hijackthis>>Open Misc tools section>>Open Host file manager
Click the "Open in Notepad"
Copy and paste back the whole text file that opens

Remember to post back the findings in the lower pane of eScan's mwav log

TSD151 · « **Reply #34 on:** April 20, 2005, 10:54:22 AM »

This is the only thing that listed when I opened Hijack>>Open Misc. tools>>Open Host file Manager and then clicked Open in Notepad:

127.0.0.1 localhost

I was able to download Mwav and here is what it found:

File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\kbdbgent.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvwrrace.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.

TSD151 · « **Reply #35 on:** April 20, 2005, 02:22:33 PM »

Questolo,

I enabled Norton Anti-Virus today and just got a virus alert that says:

High risk
Object Name: c:\!Submit\sys1227.exe
Virus Name: Trojan Horse

I try to click the OK button on the little alert window and it wont go away, every time I click it changes the number i.e. 1127, 1217 etc.

How do I get rid of that window? It just stays there no matter what other program I bring up.

guestolo · « **Reply #36 on:** April 20, 2005, 06:54:54 PM »

Norton's is flagging the folder that killbox moves the bad files too

I'm not sure what you are posting here

Quote

This is the only thing that listed when I opened Hijack>>Open Misc. tools>>Open Host file Manager and then clicked Open in Notepad:

127.0.0.1 localhost

That's all you see?

Are you sure it doesn't look like the below in code

Code: [Select]

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

If it looks like the above let me know

Print this out please
You also seem to be infected with Backdoor.Fivsec
Can you also print out the recommendations to modify in the registry recommended by Symantec's
If your unsure about editing the registry, or not comfortable with it, let me know and we'll try alternate methods
Here's the link to Symantec's

Try the following, disable Norton's autoprotect temporarily if it is still prompting you and getting in the way

Disconnect from the Internet
Run Windows CleanUp!, but don't log off after it's done

Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

Post back a fresh Hijackthis log
C:\WINDOWS\System32\thun32.dll

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

C:\WINDOWS\System32\thun.dll
C:\WINDOWS\System32\kbdbgent.dll
C:\WINDOWS\System32\nvwrrace.dll

Allow the computer to Reboot after you have entered the last path to the file name

Back in Windows
Go ahead and delete this folder
c:\!Submit <-this folder

Post back a fresh Hijackthis log afterwards

Guest · « **Reply #37 on:** April 21, 2005, 01:23:36 PM »

Questolo,

Sorry I didn't respond yesterday, I was very busy. I wasn't quite sure what you wanted me to do once I got to the Symantec link...you said to print the recommendations, which I did. I didn't know if you wanted me to also carry out the instructions for "Removal". I skipped that until I hear back from you.

As far as the Host file manager in Hijack...that is all I see when I perform the function. I don't see any of the stuff you listed in your last post.

I ran cleanup and then killbox and killed the files you listed. Then I deleted the folder !Submit.

Thought I should mention, when I went ino C: to delete !submit, I accidentally went in to the windows folder and noticed three folders that looked weird??:
$hf_mig$
$NtuninstallKB822603$
$uninstallKB842773$

Just thought they looked out of place and I should tell you.

Latest Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:10:39 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\T & A\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://isp.member.yahoo.com/regisp/p/dlk/s...updates?.v=1.10
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TSD151 · « **Reply #38 on:** April 21, 2005, 01:25:17 PM »

Sorry, I guess I wasn't logged in on my last reply.

guestolo · « **Reply #39 on:** April 21, 2005, 11:38:27 PM »

Could you do the following for me please

Download Hoster from This link
Unzip The contents to a folder

Open the folder and open HOSTER and click the
Restore Original Hosts

The file you see now that you normally don't see are Hidden files
You can go back and hide hidden files and folders
Those are legit files you are seeing

What concerns me is the cleansing of the registry from Symantec's
Delete the keys or values in the registry, if your not comfortable with it let me know

Post back a fresh hijackthis log afterwards, by the way, your last log looks good
We just need to do some final cleanup steps

News:

Author Topic: Dao Search is like herpes (Read 5741 times)

Guest