Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewall detects spyware and malware error


  • Please log in to reply
10 replies to this topic

#1 jerrybeav

jerrybeav

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 August 2005 - 02:53 PM

Hello, I hope someone can help.
I have adaware,spybot,norton,etc...But I keep getting a popup from windows saying malicious programs detected...blaw blaw.... can steal bank numbers. I clean my cpu daily and it wont go away...Can someone please take a look at my log and see if you can see anything that may cause this or shouldn't be there.

Thank you


Frustrated User

BC AdBot (Login to Remove)

 


#2 jerrybeav

jerrybeav
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 August 2005 - 02:55 PM

Sorry... Here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 3:22:38 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\d3gg32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Documents and Settings\Jeremy\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\onlak.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\onlak.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\onlak.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\onlak.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\onlak.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\onlak.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {19533683-E061-D2C2-2857-1C75E67A1A30} - C:\WINDOWS\system32\mscf32.dll
O2 - BHO: Class - {2D803A3C-BE44-E371-10B4-8A9913C5F1C1} - C:\WINDOWS\ipdw32.dll
O2 - BHO: Class - {50D98177-3925-757E-8E92-625565712438} - C:\WINDOWS\d3bm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F8143114-CDD3-F1BE-E167-AB80E5C3C6A3} - C:\WINDOWS\system32\iebj32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [d3yl32.exe] C:\WINDOWS\d3yl32.exe
O4 - HKLM\..\Run: [SpyBlock] "C:\Program Files\Spyblock\Spyblock.exe" -tr
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [d3gg32.exe] C:\WINDOWS\system32\d3gg32.exe
O4 - HKLM\..\RunOnce: [addge32.exe] C:\WINDOWS\system32\addge32.exe
O4 - HKLM\..\RunOnce: [wincg32.exe] C:\WINDOWS\system32\wincg32.exe
O4 - HKLM\..\RunOnce: [appbl.exe] C:\WINDOWS\appbl.exe
O4 - HKLM\..\RunOnce: [addht32.exe] C:\WINDOWS\addht32.exe
O4 - HKLM\..\RunOnce: [iprp.exe] C:\WINDOWS\system32\iprp.exe
O4 - HKLM\..\RunOnce: [crjs32.exe] C:\WINDOWS\crjs32.exe
O4 - HKLM\..\RunOnce: [netwm.exe] C:\WINDOWS\netwm.exe
O4 - HKLM\..\RunOnce: [d3sm.exe] C:\WINDOWS\d3sm.exe
O4 - HKLM\..\RunOnce: [ipxg.exe] C:\WINDOWS\system32\ipxg.exe
O4 - HKLM\..\RunOnce: [iego32.exe] C:\WINDOWS\iego32.exe
O4 - HKLM\..\RunOnce: [ntli32.exe] C:\WINDOWS\system32\ntli32.exe
O4 - HKLM\..\RunOnce: [crsy32.exe] C:\WINDOWS\system32\crsy32.exe
O4 - HKLM\..\RunOnce: [ipcr.exe] C:\WINDOWS\system32\ipcr.exe
O4 - HKLM\..\RunOnce: [addhl32.exe] C:\WINDOWS\addhl32.exe
O4 - HKLM\..\RunOnce: [netsr.exe] C:\WINDOWS\system32\netsr.exe
O4 - HKLM\..\RunOnce: [ntgu32.exe] C:\WINDOWS\system32\ntgu32.exe
O4 - HKLM\..\RunOnce: [msqv32.exe] C:\WINDOWS\msqv32.exe
O4 - HKLM\..\RunOnce: [addpo.exe] C:\WINDOWS\addpo.exe
O4 - HKLM\..\RunOnce: [javaqb.exe] C:\WINDOWS\javaqb.exe
O4 - HKLM\..\RunOnce: [winom.exe] C:\WINDOWS\system32\winom.exe
O4 - HKLM\..\RunOnce: [atlzn32.exe] C:\WINDOWS\system32\atlzn32.exe
O4 - HKLM\..\RunOnce: [ieep.exe] C:\WINDOWS\system32\ieep.exe
O4 - HKLM\..\RunOnce: [sysyy.exe] C:\WINDOWS\sysyy.exe
O4 - HKLM\..\RunOnce: [javalb32.exe] C:\WINDOWS\javalb32.exe
O4 - HKLM\..\RunOnce: [addxg.exe] C:\WINDOWS\system32\addxg.exe
O4 - HKLM\..\RunOnce: [apiph.exe] C:\WINDOWS\apiph.exe
O4 - HKLM\..\RunOnce: [ipby.exe] C:\WINDOWS\system32\ipby.exe
O4 - HKLM\..\RunOnce: [sdkag.exe] C:\WINDOWS\sdkag.exe
O4 - HKLM\..\RunOnce: [d3th.exe] C:\WINDOWS\system32\d3th.exe
O4 - HKLM\..\RunOnce: [netkg32.exe] C:\WINDOWS\system32\netkg32.exe
O4 - HKLM\..\RunOnce: [msyv32.exe] C:\WINDOWS\msyv32.exe
O4 - HKLM\..\RunOnce: [netyd.exe] C:\WINDOWS\system32\netyd.exe
O4 - HKLM\..\RunOnce: [appcp.exe] C:\WINDOWS\appcp.exe
O4 - HKLM\..\RunOnce: [ntse32.exe] C:\WINDOWS\system32\ntse32.exe
O4 - HKLM\..\RunOnce: [crim32.exe] C:\WINDOWS\system32\crim32.exe
O4 - HKLM\..\RunOnce: [sdklq.exe] C:\WINDOWS\sdklq.exe
O4 - HKLM\..\RunOnce: [mfckf32.exe] C:\WINDOWS\mfckf32.exe
O4 - HKLM\..\RunOnce: [ntve32.exe] C:\WINDOWS\system32\ntve32.exe
O4 - HKLM\..\RunOnce: [crtl.exe] C:\WINDOWS\system32\crtl.exe
O4 - HKLM\..\RunOnce: [syspp32.exe] C:\WINDOWS\syspp32.exe
O4 - HKLM\..\RunOnce: [mszq.exe] C:\WINDOWS\system32\mszq.exe
O4 - HKLM\..\RunOnce: [msmn32.exe] C:\WINDOWS\msmn32.exe
O4 - HKLM\..\RunOnce: [mstj32.exe] C:\WINDOWS\system32\mstj32.exe
O4 - HKLM\..\RunOnce: [ipyg32.exe] C:\WINDOWS\system32\ipyg32.exe
O4 - HKLM\..\RunOnce: [iebr32.exe] C:\WINDOWS\system32\iebr32.exe
O4 - HKLM\..\RunOnce: [winfw.exe] C:\WINDOWS\winfw.exe
O4 - HKLM\..\RunOnce: [javaty.exe] C:\WINDOWS\system32\javaty.exe
O4 - HKLM\..\RunOnce: [netxc.exe] C:\WINDOWS\system32\netxc.exe
O4 - HKLM\..\RunOnce: [d3nz32.exe] C:\WINDOWS\d3nz32.exe
O4 - HKLM\..\RunOnce: [sysdh.exe] C:\WINDOWS\sysdh.exe
O4 - HKLM\..\RunOnce: [mfchl32.exe] C:\WINDOWS\mfchl32.exe
O4 - HKLM\..\RunOnce: [addql.exe] C:\WINDOWS\addql.exe
O4 - HKLM\..\RunOnce: [appwi32.exe] C:\WINDOWS\appwi32.exe
O4 - HKLM\..\RunOnce: [addlf32.exe] C:\WINDOWS\system32\addlf32.exe
O4 - HKLM\..\RunOnce: [d3pb32.exe] C:\WINDOWS\d3pb32.exe
O4 - HKLM\..\RunOnce: [appkn32.exe] C:\WINDOWS\system32\appkn32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\apipr.exe
O4 - HKLM\..\RunOnce: [apisi32.exe] C:\WINDOWS\apisi32.exe
O4 - HKLM\..\RunOnce: [sdkiq.exe] C:\WINDOWS\sdkiq.exe
O4 - HKLM\..\RunOnce: [msmu32.exe] C:\WINDOWS\msmu32.exe
O4 - HKLM\..\RunOnce: [javawu.exe] C:\WINDOWS\javawu.exe
O4 - HKLM\..\RunOnce: [crbr32.exe] C:\WINDOWS\crbr32.exe
O4 - HKLM\..\RunOnce: [javaqg32.exe] C:\WINDOWS\javaqg32.exe
O4 - HKLM\..\RunOnce: [apivk32.exe] C:\WINDOWS\system32\apivk32.exe
O4 - HKLM\..\RunOnce: [crqw32.exe] C:\WINDOWS\system32\crqw32.exe
O4 - HKLM\..\RunOnce: [ieua.exe] C:\WINDOWS\system32\ieua.exe
O4 - HKLM\..\RunOnce: [msda32.exe] C:\WINDOWS\system32\msda32.exe
O4 - HKLM\..\RunOnce: [mfcmh.exe] C:\WINDOWS\system32\mfcmh.exe
O4 - HKLM\..\RunOnce: [sdkcw32.exe] C:\WINDOWS\sdkcw32.exe
O4 - HKLM\..\RunOnce: [mssd.exe] C:\WINDOWS\mssd.exe
O4 - HKLM\..\RunOnce: [addwh32.exe] C:\WINDOWS\system32\addwh32.exe
O4 - HKLM\..\RunOnce: [sysgi.exe] C:\WINDOWS\system32\sysgi.exe
O4 - HKLM\..\RunOnce: [sysle32.exe] C:\WINDOWS\system32\sysle32.exe
O4 - HKLM\..\RunOnce: [sysab32.exe] C:\WINDOWS\sysab32.exe
O4 - HKLM\..\RunOnce: [sdkfy32.exe] C:\WINDOWS\sdkfy32.exe
O4 - HKLM\..\RunOnce: [sysij32.exe] C:\WINDOWS\sysij32.exe
O4 - HKLM\..\RunOnce: [mfcgf.exe] C:\WINDOWS\mfcgf.exe
O4 - HKLM\..\RunOnce: [crhn.exe] C:\WINDOWS\system32\crhn.exe
O4 - HKLM\..\RunOnce: [atlby.exe] C:\WINDOWS\atlby.exe
O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\winrf.exe
O4 - HKLM\..\RunOnce: [crby32.exe] C:\WINDOWS\system32\crby32.exe
O4 - HKLM\..\RunOnce: [msur.exe] C:\WINDOWS\msur.exe
O4 - HKLM\..\RunOnce: [addyv.exe] C:\WINDOWS\addyv.exe
O4 - HKLM\..\RunOnce: [mfcjo32.exe] C:\WINDOWS\mfcjo32.exe
O4 - HKLM\..\RunOnce: [ntzw.exe] C:\WINDOWS\ntzw.exe
O4 - HKLM\..\RunOnce: [mfcyj.exe] C:\WINDOWS\system32\mfcyj.exe
O4 - HKLM\..\RunOnce: [ntcn32.exe] C:\WINDOWS\system32\ntcn32.exe
O4 - HKLM\..\RunOnce: [apilw.exe] C:\WINDOWS\system32\apilw.exe
O4 - HKLM\..\RunOnce: [netrk32.exe] C:\WINDOWS\system32\netrk32.exe
O4 - HKLM\..\RunOnce: [netfh32.exe] C:\WINDOWS\netfh32.exe
O4 - HKLM\..\RunOnce: [winkd32.exe] C:\WINDOWS\system32\winkd32.exe
O4 - HKLM\..\RunOnce: [netfp32.exe] C:\WINDOWS\netfp32.exe
O4 - HKLM\..\RunOnce: [sdkkt.exe] C:\WINDOWS\system32\sdkkt.exe
O4 - HKLM\..\RunOnce: [nttc32.exe] C:\WINDOWS\nttc32.exe
O4 - HKLM\..\RunOnce: [sysci.exe] C:\WINDOWS\sysci.exe
O4 - HKLM\..\RunOnce: [apirx32.exe] C:\WINDOWS\system32\apirx32.exe
O4 - HKLM\..\RunOnce: [ntie.exe] C:\WINDOWS\system32\ntie.exe
O4 - HKLM\..\RunOnce: [d3mi32.exe] C:\WINDOWS\d3mi32.exe
O4 - HKLM\..\RunOnce: [javavj.exe] C:\WINDOWS\system32\javavj.exe
O4 - HKLM\..\RunOnce: [crbg32.exe] C:\WINDOWS\crbg32.exe
O4 - HKLM\..\RunOnce: [javapc32.exe] C:\WINDOWS\system32\javapc32.exe
O4 - HKLM\..\RunOnce: [mfcuz32.exe] C:\WINDOWS\system32\mfcuz32.exe
O4 - HKLM\..\RunOnce: [apidf32.exe] C:\WINDOWS\system32\apidf32.exe
O4 - HKLM\..\RunOnce: [syswg.exe] C:\WINDOWS\system32\syswg.exe
O4 - HKLM\..\RunOnce: [netxg.exe] C:\WINDOWS\netxg.exe
O4 - HKLM\..\RunOnce: [iers.exe] C:\WINDOWS\system32\iers.exe
O4 - HKLM\..\RunOnce: [crgh.exe] C:\WINDOWS\system32\crgh.exe
O4 - HKLM\..\RunOnce: [netra32.exe] C:\WINDOWS\netra32.exe
O4 - HKLM\..\RunOnce: [apppn32.exe] C:\WINDOWS\system32\apppn32.exe
O4 - HKLM\..\RunOnce: [mfcjy32.exe] C:\WINDOWS\system32\mfcjy32.exe
O4 - HKLM\..\RunOnce: [ieoc32.exe] C:\WINDOWS\ieoc32.exe
O4 - HKLM\..\RunOnce: [apijo.exe] C:\WINDOWS\system32\apijo.exe
O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\atlro.exe
O4 - HKLM\..\RunOnce: [sdkhd32.exe] C:\WINDOWS\system32\sdkhd32.exe
O4 - HKLM\..\RunOnce: [msxl32.exe] C:\WINDOWS\system32\msxl32.exe
O4 - HKLM\..\RunOnce: [javasx.exe] C:\WINDOWS\javasx.exe
O4 - HKLM\..\RunOnce: [apirm32.exe] C:\WINDOWS\apirm32.exe
O4 - HKLM\..\RunOnce: [addpu.exe] C:\WINDOWS\system32\addpu.exe
O4 - HKLM\..\RunOnce: [netum.exe] C:\WINDOWS\system32\netum.exe
O4 - HKLM\..\RunOnce: [syshi.exe] C:\WINDOWS\syshi.exe
O4 - HKLM\..\RunOnce: [ipbu.exe] C:\WINDOWS\system32\ipbu.exe
O4 - HKLM\..\RunOnce: [mfcrj.exe] C:\WINDOWS\system32\mfcrj.exe
O4 - HKLM\..\RunOnce: [sysbc32.exe] C:\WINDOWS\sysbc32.exe
O4 - HKLM\..\RunOnce: [addnn.exe] C:\WINDOWS\addnn.exe
O4 - HKLM\..\RunOnce: [apirr32.exe] C:\WINDOWS\system32\apirr32.exe
O4 - HKLM\..\RunOnce: [appar.exe] C:\WINDOWS\appar.exe
O4 - HKLM\..\RunOnce: [atlgo32.exe] C:\WINDOWS\system32\atlgo32.exe
O4 - HKLM\..\RunOnce: [javapu.exe] C:\WINDOWS\javapu.exe
O4 - HKLM\..\RunOnce: [winmj32.exe] C:\WINDOWS\system32\winmj32.exe
O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe
O4 - HKLM\..\RunOnce: [nthv32.exe] C:\WINDOWS\nthv32.exe
O4 - HKLM\..\RunOnce: [apiqd.exe] C:\WINDOWS\apiqd.exe
O4 - HKLM\..\RunOnce: [netws32.exe] C:\WINDOWS\netws32.exe
O4 - HKLM\..\RunOnce: [apikp32.exe] C:\WINDOWS\system32\apikp32.exe
O4 - HKLM\..\RunOnce: [winpt32.exe] C:\WINDOWS\winpt32.exe
O4 - HKLM\..\RunOnce: [iefo32.exe] C:\WINDOWS\iefo32.exe
O4 - HKLM\..\RunOnce: [adddv.exe] C:\WINDOWS\adddv.exe
O4 - HKLM\..\RunOnce: [apizz32.exe] C:\WINDOWS\apizz32.exe
O4 - HKLM\..\RunOnce: [atlja.exe] C:\WINDOWS\atlja.exe
O4 - HKLM\..\RunOnce: [mfcwx32.exe] C:\WINDOWS\mfcwx32.exe
O4 - HKLM\..\RunOnce: [atldm32.exe] C:\WINDOWS\system32\atldm32.exe
O4 - HKLM\..\RunOnce: [msiq32.exe] C:\WINDOWS\msiq32.exe
O4 - HKLM\..\RunOnce: [mfclc32.exe] C:\WINDOWS\system32\mfclc32.exe
O4 - HKLM\..\RunOnce: [iekp32.exe] C:\WINDOWS\system32\iekp32.exe
O4 - HKLM\..\RunOnce: [ntei32.exe] C:\WINDOWS\ntei32.exe
O4 - HKLM\..\RunOnce: [sdkdq.exe] C:\WINDOWS\sdkdq.exe
O4 - HKLM\..\RunOnce: [ntmz.exe] C:\WINDOWS\system32\ntmz.exe
O4 - HKLM\..\RunOnce: [msco32.exe] C:\WINDOWS\msco32.exe
O4 - HKLM\..\RunOnce: [addsv.exe] C:\WINDOWS\addsv.exe
O4 - HKLM\..\RunOnce: [apiwz32.exe] C:\WINDOWS\system32\apiwz32.exe
O4 - HKLM\..\RunOnce: [atlfa.exe] C:\WINDOWS\atlfa.exe
O4 - HKLM\..\RunOnce: [crgg32.exe] C:\WINDOWS\system32\crgg32.exe
O4 - HKLM\..\RunOnce: [sysev.exe] C:\WINDOWS\system32\sysev.exe
O4 - HKLM\..\RunOnce: [sdkra32.exe] C:\WINDOWS\sdkra32.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\system32\javadl32.exe
O4 - HKLM\..\RunOnce: [mfcip32.exe] C:\WINDOWS\system32\mfcip32.exe
O4 - HKLM\..\RunOnce: [crlb.exe] C:\WINDOWS\system32\crlb.exe
O4 - HKLM\..\RunOnce: [iphf32.exe] C:\WINDOWS\iphf32.exe
O4 - HKLM\..\RunOnce: [atlfu.exe] C:\WINDOWS\system32\atlfu.exe
O4 - HKLM\..\RunOnce: [ieek32.exe] C:\WINDOWS\system32\ieek32.exe
O4 - HKLM\..\RunOnce: [javauz32.exe] C:\WINDOWS\javauz32.exe
O4 - HKLM\..\RunOnce: [ntyb.exe] C:\WINDOWS\system32\ntyb.exe
O4 - HKLM\..\RunOnce: [d3cf32.exe] C:\WINDOWS\system32\d3cf32.exe
O4 - HKLM\..\RunOnce: [sdklg.exe] C:\WINDOWS\system32\sdklg.exe
O4 - HKLM\..\RunOnce: [javarc32.exe] C:\WINDOWS\system32\javarc32.exe
O4 - HKLM\..\RunOnce: [javafz32.exe] C:\WINDOWS\javafz32.exe
O4 - HKLM\..\RunOnce: [mfckv32.exe] C:\WINDOWS\system32\mfckv32.exe
O4 - HKLM\..\RunOnce: [javafh32.exe] C:\WINDOWS\javafh32.exe
O4 - HKLM\..\RunOnce: [mskl.exe] C:\WINDOWS\system32\mskl.exe
O4 - HKLM\..\RunOnce: [d3tm32.exe] C:\WINDOWS\d3tm32.exe
O4 - HKLM\..\RunOnce: [atlcs.exe] C:\WINDOWS\atlcs.exe
O4 - HKLM\..\RunOnce: [sdkrp32.exe] C:\WINDOWS\system32\sdkrp32.exe
O4 - HKLM\..\RunOnce: [d3hw.exe] C:\WINDOWS\d3hw.exe
O4 - HKLM\..\RunOnce: [winls32.exe] C:\WINDOWS\winls32.exe
O4 - HKLM\..\RunOnce: [ievb.exe] C:\WINDOWS\system32\ievb.exe
O4 - HKLM\..\RunOnce: [sysbq32.exe] C:\WINDOWS\system32\sysbq32.exe
O4 - HKLM\..\RunOnce: [iepm32.exe] C:\WINDOWS\system32\iepm32.exe
O4 - HKLM\..\RunOnce: [ntur32.exe] C:\WINDOWS\system32\ntur32.exe
O4 - HKLM\..\RunOnce: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [atloq.exe] C:\WINDOWS\atloq.exe
O4 - HKLM\..\RunOnce: [d3bu32.exe] C:\WINDOWS\d3bu32.exe
O4 - HKLM\..\RunOnce: [ienf32.exe] C:\WINDOWS\ienf32.exe
O4 - HKLM\..\RunOnce: [ntrc32.exe] C:\WINDOWS\system32\ntrc32.exe
O4 - HKLM\..\RunOnce: [sysuv.exe] C:\WINDOWS\sysuv.exe
O4 - HKLM\..\RunOnce: [cryz.exe] C:\WINDOWS\system32\cryz.exe
O4 - HKLM\..\RunOnce: [addop32.exe] C:\WINDOWS\addop32.exe
O4 - HKLM\..\RunOnce: [mfcew.exe] C:\WINDOWS\system32\mfcew.exe
O4 - HKLM\..\RunOnce: [windj.exe] C:\WINDOWS\windj.exe
O4 - HKLM\..\RunOnce: [apihn.exe] C:\WINDOWS\apihn.exe
O4 - HKLM\..\RunOnce: [ntro32.exe] C:\WINDOWS\ntro32.exe
O4 - HKLM\..\RunOnce: [winla32.exe] C:\WINDOWS\winla32.exe
O4 - HKLM\..\RunOnce: [msva.exe] C:\WINDOWS\msva.exe
O4 - HKLM\..\RunOnce: [ieax32.exe] C:\WINDOWS\ieax32.exe
O4 - HKLM\..\RunOnce: [mspu32.exe] C:\WINDOWS\system32\mspu32.exe
O4 - HKLM\..\RunOnce: [winpz.exe] C:\WINDOWS\winpz.exe
O4 - HKLM\..\RunOnce: [mseo.exe] C:\WINDOWS\system32\mseo.exe
O4 - HKLM\..\RunOnce: [ntoh32.exe] C:\WINDOWS\system32\ntoh32.exe
O4 - HKLM\..\RunOnce: [javais.exe] C:\WINDOWS\javais.exe
O4 - HKLM\..\RunOnce: [iemw.exe] C:\WINDOWS\iemw.exe
O4 - HKLM\..\RunOnce: [addwx32.exe] C:\WINDOWS\addwx32.exe
O4 - HKLM\..\RunOnce: [apimf.exe] C:\WINDOWS\apimf.exe
O4 - HKLM\..\RunOnce: [sdkqj32.exe] C:\WINDOWS\sdkqj32.exe
O4 - HKLM\..\RunOnce: [netaj.exe] C:\WINDOWS\netaj.exe
O4 - HKLM\..\RunOnce: [sysap.exe] C:\WINDOWS\system32\sysap.exe
O4 - HKLM\..\RunOnce: [javazf32.exe] C:\WINDOWS\system32\javazf32.exe
O4 - HKLM\..\RunOnce: [apiyu.exe] C:\WINDOWS\apiyu.exe
O4 - HKLM\..\RunOnce: [winxc32.exe] C:\WINDOWS\winxc32.exe
O4 - HKLM\..\RunOnce: [d3vs32.exe] C:\WINDOWS\system32\d3vs32.exe
O4 - HKLM\..\RunOnce: [msvi.exe] C:\WINDOWS\system32\msvi.exe
O4 - HKLM\..\RunOnce: [crvi.exe] C:\WINDOWS\system32\crvi.exe
O4 - HKLM\..\RunOnce: [addtx32.exe] C:\WINDOWS\system32\addtx32.exe
O4 - HKLM\..\RunOnce: [netdv.exe] C:\WINDOWS\system32\netdv.exe
O4 - HKLM\..\RunOnce: [atlhz.exe] C:\WINDOWS\system32\atlhz.exe
O4 - HKLM\..\RunOnce: [ntwx32.exe] C:\WINDOWS\ntwx32.exe
O4 - HKLM\..\RunOnce: [d3me32.exe] C:\WINDOWS\d3me32.exe
O4 - HKLM\..\RunOnce: [javahi.exe] C:\WINDOWS\javahi.exe
O4 - HKLM\..\RunOnce: [mfcgx32.exe] C:\WINDOWS\mfcgx32.exe
O4 - HKLM\..\RunOnce: [winfn32.exe] C:\WINDOWS\system32\winfn32.exe
O4 - HKLM\..\RunOnce: [addfv.exe] C:\WINDOWS\system32\addfv.exe
O4 - HKLM\..\RunOnce: [ntif.exe] C:\WINDOWS\ntif.exe
O4 - HKLM\..\RunOnce: [apphu32.exe] C:\WINDOWS\apphu32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [sysfs32.exe] C:\WINDOWS\system32\sysfs32.exe
O4 - HKLM\..\RunOnce: [mfcps32.exe] C:\WINDOWS\mfcps32.exe
O4 - HKLM\..\RunOnce: [d3pa.exe] C:\WINDOWS\system32\d3pa.exe
O4 - HKLM\..\RunOnce: [sdkte.exe] C:\WINDOWS\sdkte.exe
O4 - HKLM\..\RunOnce: [winck32.exe] C:\WINDOWS\winck32.exe
O4 - HKLM\..\RunOnce: [d3sa.exe] C:\WINDOWS\system32\d3sa.exe
O4 - HKLM\..\RunOnce: [iprq32.exe] C:\WINDOWS\system32\iprq32.exe
O4 - HKLM\..\RunOnce: [atlpf32.exe] C:\WINDOWS\atlpf32.exe
O4 - HKLM\..\RunOnce: [atlpn.exe] C:\WINDOWS\atlpn.exe
O4 - HKLM\..\RunOnce: [appyn.exe] C:\WINDOWS\appyn.exe
O4 - HKLM\..\RunOnce: [ntnc32.exe] C:\WINDOWS\system32\ntnc32.exe
O4 - HKLM\..\RunOnce: [crdk32.exe] C:\WINDOWS\crdk32.exe
O4 - HKLM\..\RunOnce: [addbf32.exe] C:\WINDOWS\system32\addbf32.exe
O4 - HKLM\..\RunOnce: [appnq.exe] C:\WINDOWS\system32\appnq.exe
O4 - HKLM\..\RunOnce: [ipqu.exe] C:\WINDOWS\ipqu.exe
O4 - HKLM\..\RunOnce: [javabv32.exe] C:\WINDOWS\system32\javabv32.exe
O4 - HKLM\..\RunOnce: [iezc.exe] C:\WINDOWS\iezc.exe
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKLM\..\RunOnce: [sysfh.exe] C:\WINDOWS\sysfh.exe
O4 - HKLM\..\RunOnce: [ntnn.exe] C:\WINDOWS\system32\ntnn.exe
O4 - HKLM\..\RunOnce: [appmd32.exe] C:\WINDOWS\appmd32.exe
O4 - HKLM\..\RunOnce: [iecs.exe] C:\WINDOWS\system32\iecs.exe
O4 - HKLM\..\RunOnce: [crgw32.exe] C:\WINDOWS\system32\crgw32.exe
O4 - HKLM\..\RunOnce: [ipel.exe] C:\WINDOWS\ipel.exe
O4 - HKLM\..\RunOnce: [adddb32.exe] C:\WINDOWS\adddb32.exe
O4 - HKLM\..\RunOnce: [msur32.exe] C:\WINDOWS\system32\msur32.exe
O4 - HKLM\..\RunOnce: [iebz.exe] C:\WINDOWS\iebz.exe
O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe
O4 - HKLM\..\RunOnce: [mfclf32.exe] C:\WINDOWS\system32\mfclf32.exe
O4 - HKLM\..\RunOnce: [winkv.exe] C:\WINDOWS\winkv.exe
O4 - HKLM\..\RunOnce: [javajk32.exe] C:\WINDOWS\javajk32.exe
O4 - HKLM\..\RunOnce: [netza32.exe] C:\WINDOWS\system32\netza32.exe
O4 - HKLM\..\RunOnce: [appmc32.exe] C:\WINDOWS\system32\appmc32.exe
O4 - HKLM\..\RunOnce: [iecr32.exe] C:\WINDOWS\iecr32.exe
O4 - HKLM\..\RunOnce: [syskz.exe] C:\WINDOWS\syskz.exe
O4 - HKLM\..\RunOnce: [msli.exe] C:\WINDOWS\system32\msli.exe
O4 - HKLM\..\RunOnce: [atlax32.exe] C:\WINDOWS\atlax32.exe
O4 - HKLM\..\RunOnce: [netye32.exe] C:\WINDOWS\netye32.exe
O4 - HKLM\..\RunOnce: [mfcti.exe] C:\WINDOWS\mfcti.exe
O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe
O4 - HKLM\..\RunOnce: [winsv.exe] C:\WINDOWS\winsv.exe
O4 - HKLM\..\RunOnce: [crrl32.exe] C:\WINDOWS\system32\crrl32.exe
O4 - HKLM\..\RunOnce: [ipha32.exe] C:\WINDOWS\ipha32.exe
O4 - HKLM\..\RunOnce: [apilk.exe] C:\WINDOWS\system32\apilk.exe
O4 - HKLM\..\RunOnce: [sdkpg32.exe] C:\WINDOWS\system32\sdkpg32.exe
O4 - HKLM\..\RunOnce: [netyp.exe] C:\WINDOWS\system32\netyp.exe
O4 - HKLM\..\RunOnce: [iped32.exe] C:\WINDOWS\system32\iped32.exe
O4 - HKLM\..\RunOnce: [addyc.exe] C:\WINDOWS\system32\addyc.exe
O4 - HKLM\..\RunOnce: [sdkso.exe] C:\WINDOWS\sdkso.exe
O4 - HKLM\..\RunOnce: [netiv.exe] C:\WINDOWS\netiv.exe
O4 - HKLM\..\RunOnce: [addso32.exe] C:\WINDOWS\addso32.exe
O4 - HKLM\..\RunOnce: [javagq32.exe] C:\WINDOWS\javagq32.exe
O4 - HKLM\..\RunOnce: [javavn32.exe] C:\WINDOWS\system32\javavn32.exe
O4 - HKLM\..\RunOnce: [mfcaj32.exe] C:\WINDOWS\system32\mfcaj32.exe
O4 - HKLM\..\RunOnce: [apiax.exe] C:\WINDOWS\system32\apiax.exe
O4 - HKLM\..\RunOnce: [apiuj32.exe] C:\WINDOWS\apiuj32.exe
O4 - HKLM\..\RunOnce: [javate.exe] C:\WINDOWS\javate.exe
O4 - HKLM\..\RunOnce: [apimv32.exe] C:\WINDOWS\system32\apimv32.exe
O4 - HKLM\..\RunOnce: [apiar32.exe] C:\WINDOWS\apiar32.exe
O4 - HKLM\..\RunOnce: [javakq.exe] C:\WINDOWS\system32\javakq.exe
O4 - HKLM\..\RunOnce: [msvj.exe] C:\WINDOWS\system32\msvj.exe
O4 - HKLM\..\RunOnce: [ipur32.exe] C:\WINDOWS\system32\ipur32.exe
O4 - HKLM\..\RunOnce: [ntoi32.exe] C:\WINDOWS\system32\ntoi32.exe
O4 - HKLM\..\RunOnce: [ntcw32.exe] C:\WINDOWS\system32\ntcw32.exe
O4 - HKLM\..\RunOnce: [apphb32.exe] C:\WINDOWS\system32\apphb32.exe
O4 - HKLM\..\RunOnce: [atlhh.exe] C:\WINDOWS\system32\atlhh.exe
O4 - HKLM\..\RunOnce: [atlja32.exe] C:\WINDOWS\atlja32.exe
O4 - HKLM\..\RunOnce: [syspk32.exe] C:\WINDOWS\syspk32.exe
O4 - HKLM\..\RunOnce: [mfcyd32.exe] C:\WINDOWS\system32\mfcyd32.exe
O4 - HKLM\..\RunOnce: [d3yl.exe] C:\WINDOWS\d3yl.exe
O4 - HKLM\..\RunOnce: [sdkcp.exe] C:\WINDOWS\system32\sdkcp.exe
O4 - HKLM\..\RunOnce: [sdkxg.exe] C:\WINDOWS\system32\sdkxg.exe
O4 - HKLM\..\RunOnce: [javakd32.exe] C:\WINDOWS\system32\javakd32.exe
O4 - HKLM\..\RunOnce: [sdkza32.exe] C:\WINDOWS\system32\sdkza32.exe
O4 - HKLM\..\RunOnce: [mfcew32.exe] C:\WINDOWS\system32\mfcew32.exe
O4 - HKLM\..\RunOnce: [javazi.exe] C:\WINDOWS\javazi.exe
O4 - HKLM\..\RunOnce: [d3nq.exe] C:\WINDOWS\d3nq.exe
O4 - HKLM\..\RunOnce: [d3hb32.exe] C:\WINDOWS\d3hb32.exe
O4 - HKLM\..\RunOnce: [ieve.exe] C:\WINDOWS\ieve.exe
O4 - HKLM\..\RunOnce: [apiqp.exe] C:\WINDOWS\apiqp.exe
O4 - HKLM\..\RunOnce: [appfe.exe] C:\WINDOWS\system32\appfe.exe
O4 - HKLM\..\RunOnce: [ieqx32.exe] C:\WINDOWS\system32\ieqx32.exe
O4 - HKLM\..\RunOnce: [ipea32.exe] C:\WINDOWS\system32\ipea32.exe
O4 - HKLM\..\RunOnce: [netsp32.exe] C:\WINDOWS\netsp32.exe
O4 - HKLM\..\RunOnce: [addxt32.exe] C:\WINDOWS\addxt32.exe
O4 - HKLM\..\RunOnce: [d3lb.exe] C:\WINDOWS\d3lb.exe
O4 - HKLM\..\RunOnce: [crmj.exe] C:\WINDOWS\crmj.exe
O4 - HKLM\..\RunOnce: [ieua32.exe] C:\WINDOWS\system32\ieua32.exe
O4 - HKLM\..\RunOnce: [sysyq.exe] C:\WINDOWS\sysyq.exe
O4 - HKLM\..\RunOnce: [ntes.exe] C:\WINDOWS\system32\ntes.exe
O4 - HKLM\..\RunOnce: [javaas.exe] C:\WINDOWS\javaas.exe
O4 - HKLM\..\RunOnce: [winzr.exe] C:\WINDOWS\system32\winzr.exe
O4 - HKLM\..\RunOnce: [msbu32.exe] C:\WINDOWS\system32\msbu32.exe
O4 - HKLM\..\RunOnce: [d3fj.exe] C:\WINDOWS\system32\d3fj.exe
O4 - HKLM\..\RunOnce: [apier.exe] C:\WINDOWS\apier.exe
O4 - HKLM\..\RunOnce: [mfcnp.exe] C:\WINDOWS\mfcnp.exe
O4 - HKLM\..\RunOnce: [ntxq32.exe] C:\WINDOWS\ntxq32.exe
O4 - HKLM\..\RunOnce: [crox.exe] C:\WINDOWS\crox.exe
O4 - HKLM\..\RunOnce: [ipml.exe] C:\WINDOWS\system32\ipml.exe
O4 - HKLM\..\RunOnce: [d3qp.exe] C:\WINDOWS\d3qp.exe
O4 - HKLM\..\RunOnce: [sysbi32.exe] C:\WINDOWS\system32\sysbi32.exe
O4 - HKLM\..\RunOnce: [javauy32.exe] C:\WINDOWS\javauy32.exe
O4 - HKLM\..\RunOnce: [javaiv32.exe] C:\WINDOWS\system32\javaiv32.exe
O4 - HKLM\..\RunOnce: [mfcna32.exe] C:\WINDOWS\system32\mfcna32.exe
O4 - HKLM\..\RunOnce: [apinf32.exe] C:\WINDOWS\system32\apinf32.exe
O4 - HKLM\..\RunOnce: [javamb.exe] C:\WINDOWS\system32\javamb.exe
O4 - HKLM\..\RunOnce: [atlla.exe] C:\WINDOWS\system32\atlla.exe
O4 - HKLM\..\RunOnce: [addbq.exe] C:\WINDOWS\system32\addbq.exe
O4 - HKLM\..\RunOnce: [d3li.exe] C:\WINDOWS\d3li.exe
O4 - HKLM\..\RunOnce: [sysyl.exe] C:\WINDOWS\system32\sysyl.exe
O4 - HKLM\..\RunOnce: [atlxg32.exe] C:\WINDOWS\system32\atlxg32.exe
O4 - HKLM\..\RunOnce: [ntbi32.exe] C:\WINDOWS\ntbi32.exe
O4 - HKLM\..\RunOnce: [sysix.exe] C:\WINDOWS\sysix.exe
O4 - HKLM\..\RunOnce: [addhe32.exe] C:\WINDOWS\system32\addhe32.exe
O4 - HKLM\..\RunOnce: [apiga.exe] C:\WINDOWS\system32\apiga.exe
O4 - HKLM\..\RunOnce: [sysfz32.exe] C:\WINDOWS\system32\sysfz32.exe
O4 - HKLM\..\RunOnce: [addzq32.exe] C:\WINDOWS\addzq32.exe
O4 - HKLM\..\RunOnce: [javakk32.exe] C:\WINDOWS\system32\javakk32.exe
O4 - HKLM\..\RunOnce: [addnv32.exe] C:\WINDOWS\system32\addnv32.exe
O4 - HKLM\..\RunOnce: [crmj32.exe] C:\WINDOWS\system32\crmj32.exe
O4 - HKLM\..\RunOnce: [winle.exe] C:\WINDOWS\system32\winle.exe
O4 - HKLM\..\RunOnce: [javake32.exe] C:\WINDOWS\system32\javake32.exe
O4 - HKLM\..\RunOnce: [addrb.exe] C:\WINDOWS\addrb.exe
O4 - HKLM\..\RunOnce: [atlqj.exe] C:\WINDOWS\atlqj.exe
O4 - HKLM\..\RunOnce: [sdkin.exe] C:\WINDOWS\sdkin.exe
O4 - HKLM\..\RunOnce: [ipgg32.exe] C:\WINDOWS\ipgg32.exe
O4 - HKLM\..\RunOnce: [d3qg32.exe] C:\WINDOWS\system32\d3qg32.exe
O4 - HKLM\..\RunOnce: [mfcqo.exe] C:\WINDOWS\mfcqo.exe
O4 - HKLM\..\RunOnce: [addus.exe] C:\WINDOWS\system32\addus.exe
O4 - HKLM\..\RunOnce: [ntdz32.exe] C:\WINDOWS\system32\ntdz32.exe
O4 - HKLM\..\RunOnce: [mfcbo.exe] C:\WINDOWS\mfcbo.exe
O4 - HKLM\..\RunOnce: [appxq.exe] C:\WINDOWS\system32\appxq.exe
O4 - HKLM\..\RunOnce: [netbu32.exe] C:\WINDOWS\system32\netbu32.exe
O4 - HKLM\..\RunOnce: [ieqw32.exe] C:\WINDOWS\system32\ieqw32.exe
O4 - HKLM\..\RunOnce: [d3la32.exe] C:\WINDOWS\d3la32.exe
O4 - HKLM\..\RunOnce: [cros32.exe] C:\WINDOWS\cros32.exe
O4 - HKLM\..\RunOnce: [apprd.exe] C:\WINDOWS\system32\apprd.exe
O4 - HKLM\..\RunOnce: [sdkak32.exe] C:\WINDOWS\system32\sdkak32.exe
O4 - HKLM\..\RunOnce: [d3fo.exe] C:\WINDOWS\d3fo.exe
O4 - HKLM\..\RunOnce: [javaoo32.exe] C:\WINDOWS\system32\javaoo32.exe
O4 - HKLM\..\RunOnce: [mfcin.exe] C:\WINDOWS\system32\mfcin.exe
O4 - HKLM\..\RunOnce: [d3cz.exe] C:\WINDOWS\system32\d3cz.exe
O4 - HKLM\..\RunOnce: [sdkjg.exe] C:\WINDOWS\sdkjg.exe
O4 - HKLM\..\RunOnce: [mfccz32.exe] C:\WINDOWS\mfccz32.exe
O4 - HKLM\..\RunOnce: [netns32.exe] C:\WINDOWS\system32\netns32.exe
O4 - HKLM\..\RunOnce: [winso32.exe] C:\WINDOWS\system32\winso32.exe
O4 - HKLM\..\RunOnce: [ieqj32.exe] C:\WINDOWS\system32\ieqj32.exe
O4 - HKLM\..\RunOnce: [appgr.exe] C:\WINDOWS\system32\appgr.exe
O4 - HKLM\..\RunOnce: [netkv32.exe] C:\WINDOWS\netkv32.exe
O4 - HKLM\..\RunOnce: [iezx32.exe] C:\WINDOWS\iezx32.exe
O4 - HKLM\..\RunOnce: [d3ub.exe] C:\WINDOWS\system32\d3ub.exe
O4 - HKLM\..\RunOnce: [addgt32.exe] C:\WINDOWS\system32\addgt32.exe
O4 - HKLM\..\RunOnce: [mfclx.exe] C:\WINDOWS\mfclx.exe
O4 - HKLM\..\RunOnce: [atlmy.exe] C:\WINDOWS\system32\atlmy.exe
O4 - HKLM\..\RunOnce: [d3as.exe] C:\WINDOWS\d3as.exe
O4 - HKLM\..\RunOnce: [apppp32.exe] C:\WINDOWS\system32\apppp32.exe
O4 - HKLM\..\RunOnce: [apiox32.exe] C:\WINDOWS\system32\apiox32.exe
O4 - HKLM\..\RunOnce: [addek.exe] C:\WINDOWS\addek.exe
O4 - HKLM\..\RunOnce: [apiio32.exe] C:\WINDOWS\system32\apiio32.exe
O4 - HKLM\..\RunOnce: [atlso.exe] C:\WINDOWS\atlso.exe
O4 - HKLM\..\RunOnce: [atlyl32.exe] C:\WINDOWS\system32\atlyl32.exe
O4 - HKLM\..\RunOnce: [msrc.exe] C:\WINDOWS\msrc.exe
O4 - HKLM\..\RunOnce: [apimo.exe] C:\WINDOWS\system32\apimo.exe
O4 - HKLM\..\RunOnce: [appbv.exe] C:\WINDOWS\system32\appbv.exe
O4 - HKLM\..\RunOnce: [ieto32.exe] C:\WINDOWS\ieto32.exe
O4 - HKLM\..\RunOnce: [atljl32.exe] C:\WINDOWS\system32\atljl32.exe
O4 - HKLM\..\RunOnce: [ntnv32.exe] C:\WINDOWS\system32\ntnv32.exe
O4 - HKLM\..\RunOnce: [mfclk32.exe] C:\WINDOWS\mfclk32.exe
O4 - HKLM\..\RunOnce: [apils.exe] C:\WINDOWS\apils.exe
O4 - HKLM\..\RunOnce: [mfcms.exe] C:\WINDOWS\system32\mfcms.exe
O4 - HKLM\..\RunOnce: [addez32.exe] C:\WINDOWS\system32\addez32.exe
O4 - HKLM\..\RunOnce: [javaeh.exe] C:\WINDOWS\system32\javaeh.exe
O4 - HKLM\..\RunOnce: [netil.exe] C:\WINDOWS\system32\netil.exe
O4 - HKLM\..\RunOnce: [d3xa32.exe] C:\WINDOWS\d3xa32.exe
O4 - HKLM\..\RunOnce: [sysnh.exe] C:\WINDOWS\sysnh.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [winqz.exe] C:\WINDOWS\system32\winqz.exe
O4 - HKLM\..\RunOnce: [atlba32.exe] C:\WINDOWS\system32\atlba32.exe
O4 - HKLM\..\RunOnce: [iprh.exe] C:\WINDOWS\system32\iprh.exe
O4 - HKLM\..\RunOnce: [crvl32.exe] C:\WINDOWS\crvl32.exe
O4 - HKLM\..\RunOnce: [winzv32.exe] C:\WINDOWS\winzv32.exe
O4 - HKLM\..\RunOnce: [d3xk.exe] C:\WINDOWS\system32\d3xk.exe
O4 - HKLM\..\RunOnce: [addcu.exe] C:\WINDOWS\addcu.exe
O4 - HKLM\..\RunOnce: [javapz.exe] C:\WINDOWS\javapz.exe
O4 - HKLM\..\RunOnce: [appjk.exe] C:\WINDOWS\system32\appjk.exe
O4 - HKLM\..\RunOnce: [javaeu32.exe] C:\WINDOWS\system32\javaeu32.exe
O4 - HKLM\..\RunOnce: [appeu32.exe] C:\WINDOWS\appeu32.exe
O4 - HKLM\..\RunOnce: [sdkzn32.exe] C:\WINDOWS\sdkzn32.exe
O4 - HKLM\..\RunOnce: [crms.exe] C:\WINDOWS\system32\crms.exe
O4 - HKLM\..\RunOnce: [javans32.exe] C:\WINDOWS\javans32.exe
O4 - HKLM\..\RunOnce: [addwy.exe] C:\WINDOWS\addwy.exe
O4 - HKLM\..\RunOnce: [ipln32.exe] C:\WINDOWS\system32\ipln32.exe
O4 - HKLM\..\RunOnce: [javajv.exe] C:\WINDOWS\system32\javajv.exe
O4 - HKLM\..\RunOnce: [ipcb32.exe] C:\WINDOWS\system32\ipcb32.exe
O4 - HKLM\..\RunOnce: [apixf.exe] C:\WINDOWS\apixf.exe
O4 - HKLM\..\RunOnce: [syswv32.exe] C:\WINDOWS\syswv32.exe
O4 - HKLM\..\RunOnce: [netae32.exe] C:\WINDOWS\system32\netae32.exe
O4 - HKLM\..\RunOnce: [sdkqm.exe] C:\WINDOWS\system32\sdkqm.exe
O4 - HKLM\..\RunOnce: [msmq32.exe] C:\WINDOWS\msmq32.exe
O4 - HKLM\..\RunOnce: [appya32.exe] C:\WINDOWS\appya32.exe
O4 - HKLM\..\RunOnce: [iepp.exe] C:\WINDOWS\system32\iepp.exe
O4 - HKLM\..\RunOnce: [ntju.exe] C:\WINDOWS\system32\ntju.exe
O4 - HKLM\..\RunOnce: [appch32.exe] C:\WINDOWS\appch32.exe
O4 - HKLM\..\RunOnce: [sdkig.exe] C:\WINDOWS\system32\sdkig.exe
O4 - HKLM\..\RunOnce: [iehz.exe] C:\WINDOWS\system32\iehz.exe
O4 - HKLM\..\RunOnce: [apicl.exe] C:\WINDOWS\apicl.exe
O4 - HKLM\..\RunOnce: [mfclj.exe] C:\WINDOWS\system32\mfclj.exe
O4 - HKLM\..\RunOnce: [appxt32.exe] C:\WINDOWS\system32\appxt32.exe
O4 - HKLM\..\RunOnce: [ntpx.exe] C:\WINDOWS\ntpx.exe
O4 - HKLM\..\RunOnce: [javaof.exe] C:\WINDOWS\system32\javaof.exe
O4 - HKLM\..\RunOnce: [apitp.exe] C:\WINDOWS\system32\apitp.exe
O4 - HKLM\..\RunOnce: [mfccq.exe] C:\WINDOWS\mfccq.exe
O4 - HKLM\..\RunOnce: [mfcxh32.exe] C:\WINDOWS\system32\mfcxh32.exe
O4 - HKLM\..\RunOnce: [sysbd32.exe] C:\WINDOWS\system32\sysbd32.exe
O4 - HKLM\..\RunOnce: [apifp32.exe] C:\WINDOWS\system32\apifp32.exe
O4 - HKLM\..\RunOnce: [apppv32.exe] C:\WINDOWS\apppv32.exe
O4 - HKLM\..\RunOnce: [iend.exe] C:\WINDOWS\iend.exe
O4 - HKLM\..\RunOnce: [sdkmt32.exe] C:\WINDOWS\system32\sdkmt32.exe
O4 - HKLM\..\RunOnce: [iphe.exe] C:\WINDOWS\iphe.exe
O4 - HKLM\..\RunOnce: [addgu32.exe] C:\WINDOWS\addgu32.exe
O4 - HKLM\..\RunOnce: [mswb.exe] C:\WINDOWS\system32\mswb.exe
O4 - HKLM\..\RunOnce: [cral.exe] C:\WINDOWS\system32\cral.exe
O4 - HKLM\..\RunOnce: [winep32.exe] C:\WINDOWS\winep32.exe
O4 - HKLM\..\RunOnce: [msnq.exe] C:\WINDOWS\system32\msnq.exe
O4 - HKLM\..\RunOnce: [ietm32.exe] C:\WINDOWS\ietm32.exe
O4 - HKLM\..\RunOnce: [mshj32.exe] C:\WINDOWS\system32\mshj32.exe
O4 - HKLM\..\RunOnce: [ntmf32.exe] C:\WINDOWS\system32\ntmf32.exe
O4 - HKLM\..\RunOnce: [ntml32.exe] C:\WINDOWS\system32\ntml32.exe
O4 - HKLM\..\RunOnce: [javaaw.exe] C:\WINDOWS\system32\javaaw.exe
O4 - HKLM\..\RunOnce: [appvh.exe] C:\WINDOWS\appvh.exe
O4 - HKLM\..\RunOnce: [sysko32.exe] C:\WINDOWS\sysko32.exe
O4 - HKLM\..\RunOnce: [addeh.exe] C:\WINDOWS\system32\addeh.exe
O4 - HKLM\..\RunOnce: [sysng.exe] C:\WINDOWS\system32\sysng.exe
O4 - HKLM\..\RunOnce: [javamv32.exe] C:\WINDOWS\system32\javamv32.exe
O4 - HKLM\..\RunOnce: [netcl32.exe] C:\WINDOWS\netcl32.exe
O4 - HKLM\..\RunOnce: [ipkt.exe] C:\WINDOWS\ipkt.exe
O4 - HKLM\..\RunOnce: [msfc.exe] C:\WINDOWS\msfc.exe
O4 - HKLM\..\RunOnce: [crjm.exe] C:\WINDOWS\crjm.exe
O4 - HKLM\..\RunOnce: [sysnq32.exe] C:\WINDOWS\system32\sysnq32.exe
O4 - HKLM\..\RunOnce: [mswr.exe] C:\WINDOWS\mswr.exe
O4 - HKLM\..\RunOnce: [apixw.exe] C:\WINDOWS\system32\apixw.exe
O4 - HKLM\..\RunOnce: [winwm32.exe] C:\WINDOWS\system32\winwm32.exe
O4 - HKLM\..\RunOnce: [d3uu.exe] C:\WINDOWS\d3uu.exe
O4 - HKLM\..\RunOnce: [addyl.exe] C:\WINDOWS\addyl.exe
O4 - HKLM\..\RunOnce: [javami32.exe] C:\WINDOWS\system32\javami32.exe
O4 - HKLM\..\RunOnce: [crxb32.exe] C:\WINDOWS\crxb32.exe
O4 - HKLM\..\RunOnce: [netcx32.exe] C:\WINDOWS\netcx32.exe
O4 - HKLM\..\RunOnce: [d3xj32.exe] C:\WINDOWS\d3xj32.exe
O4 - HKLM\..\RunOnce: [addef.exe] C:\WINDOWS\addef.exe
O4 - HKLM\..\RunOnce: [nten.exe] C:\WINDOWS\nten.exe
O4 - HKLM\..\RunOnce: [winzq.exe] C:\WINDOWS\winzq.exe
O4 - HKLM\..\RunOnce: [msof.exe] C:\WINDOWS\msof.exe
O4 - HKLM\..\RunOnce: [ntzy32.exe] C:\WINDOWS\system32\ntzy32.exe
O4 - HKLM\..\RunOnce: [addnb32.exe] C:\WINDOWS\addnb32.exe
O4 - HKLM\..\RunOnce: [addby32.exe] C:\WINDOWS\system32\addby32.exe
O4 - HKLM\..\RunOnce: [crgu32.exe] C:\WINDOWS\crgu32.exe
O4 - HKLM\..\RunOnce: [d3oa.exe] C:\WINDOWS\d3oa.exe
O4 - HKLM\..\RunOnce: [ipon32.exe] C:\WINDOWS\system32\ipon32.exe
O4 - HKLM\..\RunOnce: [ntod32.exe] C:\WINDOWS\system32\ntod32.exe
O4 - HKLM\..\RunOnce: [mfcsf.exe] C:\WINDOWS\system32\mfcsf.exe
O4 - HKLM\..\RunOnce: [ntlg32.exe] C:\WINDOWS\ntlg32.exe
O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\crbo.exe
O4 - HKLM\..\RunOnce: [winfs32.exe] C:\WINDOWS\system32\winfs32.exe
O4 - HKLM\..\RunOnce: [ntuu32.exe] C:\WINDOWS\system32\ntuu32.exe
O4 - HKLM\..\RunOnce: [apipy.exe] C:\WINDOWS\system32\apipy.exe
O4 - HKLM\..\RunOnce: [winoo32.exe] C:\WINDOWS\system32\winoo32.exe
O4 - HKLM\..\RunOnce: [iprx32.exe] C:\WINDOWS\system32\iprx32.exe
O4 - HKLM\..\RunOnce: [javaif.exe] C:\WINDOWS\system32\javaif.exe
O4 - HKLM\..\RunOnce: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
O4 - HKLM\..\RunOnce: [d3vr.exe] C:\WINDOWS\system32\d3vr.exe
O4 - HKLM\..\RunOnce: [d3bg32.exe] C:\WINDOWS\system32\d3bg32.exe
O4 - HKLM\..\RunOnce: [atlkm.exe] C:\WINDOWS\system32\atlkm.exe
O4 - HKLM\..\RunOnce: [sdkhj32.exe] C:\WINDOWS\sdkhj32.exe
O4 - HKLM\..\RunOnce: [msyr32.exe] C:\WINDOWS\msyr32.exe
O4 - HKLM\..\RunOnce: [crtu.exe] C:\WINDOWS\system32\crtu.exe
O4 - HKLM\..\RunOnce: [apisk32.exe] C:\WINDOWS\system32\apisk32.exe
O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
O4 - HKLM\..\RunOnce: [apiby32.exe] C:\WINDOWS\system32\apiby32.exe
O4 - HKLM\..\RunOnce: [atlyt32.exe] C:\WINDOWS\system32\atlyt32.exe
O4 - HKLM\..\RunOnce: [netpb.exe] C:\WINDOWS\system32\netpb.exe
O4 - HKLM\..\RunOnce: [crtf32.exe] C:\WINDOWS\crtf32.exe
O4 - HKLM\..\RunOnce: [ntcf.exe] C:\WINDOWS\system32\ntcf.exe
O4 - HKLM\..\RunOnce: [ipgx32.exe] C:\WINDOWS\ipgx32.exe
O4 - HKLM\..\RunOnce: [javakb.exe] C:\WINDOWS\system32\javakb.exe
O4 - HKLM\..\RunOnce: [winol.exe] C:\WINDOWS\winol.exe
O4 - HKLM\..\RunOnce: [crnb32.exe] C:\WINDOWS\crnb32.exe
O4 - HKLM\..\RunOnce: [iplq32.exe] C:\WINDOWS\system32\iplq32.exe
O4 - HKLM\..\RunOnce: [appqa32.exe] C:\WINDOWS\appqa32.exe
O4 - HKLM\..\RunOnce: [iepi32.exe] C:\WINDOWS\system32\iepi32.exe
O4 - HKLM\..\RunOnce: [sysoy.exe] C:\WINDOWS\sysoy.exe
O4 - HKLM\..\RunOnce: [apish32.exe] C:\WINDOWS\apish32.exe
O4 - HKLM\..\RunOnce: [netsp.exe] C:\WINDOWS\netsp.exe
O4 - HKLM\..\RunOnce: [apibq.exe] C:\WINDOWS\apibq.exe
O4 - HKLM\..\RunOnce: [crqn32.exe] C:\WINDOWS\system32\crqn32.exe
O4 - HKLM\..\RunOnce: [winad32.exe] C:\WINDOWS\winad32.exe
O4 - HKLM\..\RunOnce: [netdp32.exe] C:\WINDOWS\netdp32.exe
O4 - HKLM\..\RunOnce: [addcl32.exe] C:\WINDOWS\addcl32.exe
O4 - HKLM\..\RunOnce: [apiby.exe] C:\WINDOWS\system32\apiby.exe
O4 - HKLM\..\RunOnce: [sysag32.exe] C:\WINDOWS\sysag32.exe
O4 - HKLM\..\RunOnce: [nethu.exe] C:\WINDOWS\nethu.exe
O4 - HKLM\..\RunOnce: [ntgc32.exe] C:\WINDOWS\system32\ntgc32.exe
O4 - HKLM\..\RunOnce: [atltm32.exe] C:\WINDOWS\system32\atltm32.exe
O4 - HKLM\..\RunOnce: [ntdn32.exe] C:\WINDOWS\ntdn32.exe
O4 - HKLM\..\RunOnce: [adddn.exe] C:\WINDOWS\system32\adddn.exe
O4 - HKLM\..\RunOnce: [ntmt32.exe] C:\WINDOWS\ntmt32.exe
O4 - HKLM\..\RunOnce: [crrx.exe] C:\WINDOWS\crrx.exe
O4 - HKLM\..\RunOnce: [mfcfa.exe] C:\WINDOWS\system32\mfcfa.exe
O4 - HKLM\..\RunOnce: [addie.exe] C:\WINDOWS\addie.exe
O4 - HKLM\..\RunOnce: [netyb32.exe] C:\WINDOWS\system32\netyb32.exe
O4 - HKLM\..\RunOnce: [javaoi.exe] C:\WINDOWS\system32\javaoi.exe
O4 - HKLM\..\RunOnce: [winmv32.exe] C:\WINDOWS\system32\winmv32.exe
O4 - HKLM\..\RunOnce: [addxp32.exe] C:\WINDOWS\system32\addxp32.exe
O4 - HKLM\..\RunOnce: [d3cl32.exe] C:\WINDOWS\d3cl32.exe
O4 - HKLM\..\RunOnce: [mfcfc32.exe] C:\WINDOWS\mfcfc32.exe
O4 - HKLM\..\RunOnce: [mfclz32.exe] C:\WINDOWS\system32\mfclz32.exe
O4 - HKLM\..\RunOnce: [ieqd32.exe] C:\WINDOWS\system32\ieqd32.exe
O4 - HKLM\..\RunOnce: [sysyj.exe] C:\WINDOWS\system32\sysyj.exe
O4 - HKLM\..\RunOnce: [syssd32.exe] C:\WINDOWS\system32\syssd32.exe
O4 - HKLM\..\RunOnce: [sdkmw32.exe] C:\WINDOWS\sdkmw32.exe
O4 - HKLM\..\RunOnce: [msqy32.exe] C:\WINDOWS\system32\msqy32.exe
O4 - HKLM\..\RunOnce: [mfcxn.exe] C:\WINDOWS\system32\mfcxn.exe
O4 - HKLM\..\RunOnce: [netwu32.exe] C:\WINDOWS\netwu32.exe
O4 - HKLM\..\RunOnce: [cruq.exe] C:\WINDOWS\cruq.exe
O4 - HKLM\..\RunOnce: [apiup32.exe] C:\WINDOWS\apiup32.exe
O4 - HKLM\..\RunOnce: [d3im.exe] C:\WINDOWS\d3im.exe
O4 - HKLM\..\RunOnce: [iezu.exe] C:\WINDOWS\system32\iezu.exe
O4 - HKLM\..\RunOnce: [addsn.exe] C:\WINDOWS\system32\addsn.exe
O4 - HKLM\..\RunOnce: [atlme.exe] C:\WINDOWS\system32\atlme.exe
O4 - HKLM\..\RunOnce: [apilm.exe] C:\WINDOWS\apilm.exe
O4 - HKLM\..\RunOnce: [atlap32.exe] C:\WINDOWS\atlap32.exe
O4 - HKLM\..\RunOnce: [javapd.exe] C:\WINDOWS\system32\javapd.exe
O4 - HKLM\..\RunOnce: [d3ol.exe] C:\WINDOWS\d3ol.exe
O4 - HKLM\..\RunOnce: [nttv32.exe] C:\WINDOWS\system32\nttv32.exe
O4 - HKLM\..\RunOnce: [msdo32.exe] C:\WINDOWS\system32\msdo32.exe
O4 - HKLM\..\RunOnce: [apidw32.exe] C:\WINDOWS\system32\apidw32.exe
O4 - HKLM\..\RunOnce: [crgi32.exe] C:\WINDOWS\system32\crgi32.exe
O4 - HKLM\..\RunOnce: [iekm.exe] C:\WINDOWS\iekm.exe
O4 - HKLM\..\RunOnce: [apiow.exe] C:\WINDOWS\apiow.exe
O4 - HKLM\..\RunOnce: [sysnl32.exe] C:\WINDOWS\system32\sysnl32.exe
O4 - HKLM\..\RunOnce: [atlgk32.exe] C:\WINDOWS\system32\atlgk32.exe
O4 - HKLM\..\RunOnce: [apird32.exe] C:\WINDOWS\apird32.exe
O4 - HKLM\..\RunOnce: [syswz32.exe] C:\WINDOWS\syswz32.exe
O4 - HKLM\..\RunOnce: [msuu32.exe] C:\WINDOWS\msuu32.exe
O4 - HKLM\..\RunOnce: [ipno.exe] C:\WINDOWS\ipno.exe
O4 - HKLM\..\RunOnce: [ieow.exe] C:\WINDOWS\system32\ieow.exe
O4 - HKLM\..\RunOnce: [netih.exe] C:\WINDOWS\netih.exe
O4 - HKLM\..\RunOnce: [crsg32.exe] C:\WINDOWS\system32\crsg32.exe
O4 - HKLM\..\RunOnce: [addvs.exe] C:\WINDOWS\addvs.exe
O4 - HKLM\..\RunOnce: [iezw32.exe] C:\WINDOWS\system32\iezw32.exe
O4 - HKLM\..\RunOnce: [javapl.exe] C:\WINDOWS\javapl.exe
O4 - HKLM\..\RunOnce: [netoy.exe] C:\WINDOWS\netoy.exe
O4 - HKLM\..\RunOnce: [winno32.exe] C:\WINDOWS\system32\winno32.exe
O4 - HKLM\..\RunOnce: [mfcgn32.exe] C:\WINDOWS\system32\mfcgn32.exe
O4 - HKLM\..\RunOnce: [netry32.exe] C:\WINDOWS\netry32.exe
O4 - HKLM\..\RunOnce: [winwu32.exe] C:\WINDOWS\winwu32.exe
O4 - HKLM\..\RunOnce: [ieux32.exe] C:\WINDOWS\ieux32.exe
O4 - HKLM\..\RunOnce: [appkf.exe] C:\WINDOWS\appkf.exe
O4 - HKLM\..\RunOnce: [netoj32.exe] C:\WINDOWS\system32\netoj32.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\atlyj.exe
O4 - HKLM\..\RunOnce: [d3yp.exe] C:\WINDOWS\system32\d3yp.exe
O4 - HKLM\..\RunOnce: [netxf32.exe] C:\WINDOWS\system32\netxf32.exe
O4 - HKLM\..\RunOnce: [msbo32.exe] C:\WINDOWS\msbo32.exe
O4 - HKLM\..\RunOnce: [winzw.exe] C:\WINDOWS\system32\winzw.exe
O4 - HKLM\..\RunOnce: [apiva32.exe] C:\WINDOWS\apiva32.exe
O4 - HKLM\..\RunOnce: [javazk32.exe] C:\WINDOWS\system32\javazk32.exe
O4 - HKLM\..\RunOnce: [netxz.exe] C:\WINDOWS\netxz.exe
O4 - HKLM\..\RunOnce: [crcj.exe] C:\WINDOWS\system32\crcj.exe
O4 - HKLM\..\RunOnce: [mfcpo.exe] C:\WINDOWS\mfcpo.exe
O4 - HKLM\..\RunOnce: [atltf32.exe] C:\WINDOWS\atltf32.exe
O4 - HKLM\..\RunOnce: [netjn32.exe] C:\WINDOWS\netjn32.exe
O4 - HKLM\..\RunOnce: [mfceq.exe] C:\WINDOWS\system32\mfceq.exe
O4 - HKLM\..\RunOnce: [appia.exe] C:\WINDOWS\system32\appia.exe
O4 - HKLM\..\RunOnce: [ipew32.exe] C:\WINDOWS\ipew32.exe
O4 - HKLM\..\RunOnce: [mfcnf.exe] C:\WINDOWS\system32\mfcnf.exe
O4 - HKLM\..\RunOnce: [d3wd32.exe] C:\WINDOWS\d3wd32.exe
O4 - HKLM\..\RunOnce: [crzu32.exe] C:\WINDOWS\system32\crzu32.exe
O4 - HKLM\..\RunOnce: [appug.exe] C:\WINDOWS\appug.exe
O4 - HKLM\..\RunOnce: [nettb32.exe] C:\WINDOWS\nettb32.exe
O4 - HKLM\..\RunOnce: [ipaj32.exe] C:\WINDOWS\ipaj32.exe
O4 - HKLM\..\RunOnce: [d3kk32.exe] C:\WINDOWS\system32\d3kk32.exe
O4 - HKLM\..\RunOnce: [d3fb.exe] C:\WINDOWS\d3fb.exe
O4 - HKLM\..\RunOnce: [sdkui.exe] C:\WINDOWS\sdkui.exe
O4 - HKLM\..\RunOnce: [apifb32.exe] C:\WINDOWS\system32\apifb32.exe
O4 - HKLM\..\RunOnce: [netyu32.exe] C:\WINDOWS\netyu32.exe
O4 - HKLM\..\RunOnce: [appxi32.exe] C:\WINDOWS\system32\appxi32.exe
O4 - HKLM\..\RunOnce: [d3ce32.exe] C:\WINDOWS\system32\d3ce32.exe
O4 - HKLM\..\RunOnce: [atlxq.exe] C:\WINDOWS\atlxq.exe
O4 - HKLM\..\RunOnce: [javagw32.exe] C:\WINDOWS\javagw32.exe
O4 - HKLM\..\RunOnce: [mska.exe] C:\WINDOWS\mska.exe
O4 - HKLM\..\RunOnce: [d3ta.exe] C:\WINDOWS\d3ta.exe
O4 - HKLM\..\RunOnce: [d3os32.exe] C:\WINDOWS\d3os32.exe
O4 - HKLM\..\RunOnce: [netto32.exe] C:\WINDOWS\netto32.exe
O4 - HKLM\..\RunOnce: [ipbc.exe] C:\WINDOWS\ipbc.exe
O4 - HKLM\..\RunOnce: [d3gk.exe] C:\WINDOWS\d3gk.exe
O4 - HKLM\..\RunOnce: [ieab.exe] C:\WINDOWS\system32\ieab.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [iexd32.exe] C:\WINDOWS\iexd32.exe
O4 - HKLM\..\RunOnce: [apila.exe] C:\WINDOWS\apila.exe
O4 - HKLM\..\RunOnce: [ipci.exe] C:\WINDOWS\system32\ipci.exe
O4 - HKLM\..\RunOnce: [netad32.exe] C:\WINDOWS\system32\netad32.exe
O4 - HKLM\..\RunOnce: [msos.exe] C:\WINDOWS\system32\msos.exe
O4 - HKLM\..\RunOnce: [sdktc32.exe] C:\WINDOWS\system32\sdktc32.exe
O4 - HKLM\..\RunOnce: [javatk32.exe] C:\WINDOWS\javatk32.exe
O4 - HKLM\..\RunOnce: [sysck32.exe] C:\WINDOWS\system32\sysck32.exe
O4 - HKLM\..\RunOnce: [appin.exe] C:\WINDOWS\system32\appin.exe
O4 - HKLM\..\RunOnce: [netan.exe] C:\WINDOWS\netan.exe
O4 - HKLM\..\RunOnce: [netuz32.exe] C:\WINDOWS\netuz32.exe
O4 - HKLM\..\RunOnce: [ntij.exe] C:\WINDOWS\ntij.exe
O4 - HKLM\..\RunOnce: [syscn.exe] C:\WINDOWS\syscn.exe
O4 - HKLM\..\RunOnce: [d3sc.exe] C:\WINDOWS\d3sc.exe
O4 - HKLM\..\RunOnce: [ntcv32.exe] C:\WINDOWS\system32\ntcv32.exe
O4 - HKLM\..\RunOnce: [sdkwo.exe] C:\WINDOWS\sdkwo.exe
O4 - HKLM\..\RunOnce: [apimb.exe] C:\WINDOWS\system32\apimb.exe
O4 - HKLM\..\RunOnce: [sdkqx.exe] C:\WINDOWS\system32\sdkqx.exe
O4 - HKLM\..\RunOnce: [msby32.exe] C:\WINDOWS\system32\msby32.exe
O4 - HKLM\..\RunOnce: [winzf.exe] C:\WINDOWS\system32\winzf.exe
O4 - HKLM\..\RunOnce: [javaht32.exe] C:\WINDOWS\javaht32.exe
O4 - HKLM\..\RunOnce: [netyj32.exe] C:\WINDOWS\system32\netyj32.exe
O4 - HKLM\..\RunOnce: [addlt32.exe] C:\WINDOWS\system32\addlt32.exe
O4 - HKLM\..\RunOnce: [msbi32.exe] C:\WINDOWS\msbi32.exe
O4 - HKLM\..\RunOnce: [ntot32.exe] C:\WINDOWS\ntot32.exe
O4 - HKLM\..\RunOnce: [mfcea.exe] C:\WINDOWS\system32\mfcea.exe
O4 - HKLM\..\RunOnce: [syslq32.exe] C:\WINDOWS\system32\syslq32.exe
O4 - HKLM\..\RunOnce: [msjr.exe] C:\WINDOWS\system32\msjr.exe
O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\atlct.exe
O4 - HKLM\..\RunOnce: [javamz32.exe] C:\WINDOWS\system32\javamz32.exe
O4 - HKLM\..\RunOnce: [msqd.exe] C:\WINDOWS\system32\msqd.exe
O4 - HKLM\..\RunOnce: [d3re.exe] C:\WINDOWS\d3re.exe
O4 - HKLM\..\RunOnce: [appot.exe] C:\WINDOWS\system32\appot.exe
O4 - HKLM\..\RunOnce: [ipzr32.exe] C:\WINDOWS\system32\ipzr32.exe
O4 - HKLM\..\RunOnce: [msud32.exe] C:\WINDOWS\system32\msud32.exe
O4 - HKLM\..\RunOnce: [winyh.exe] C:\WINDOWS\winyh.exe
O4 - HKLM\..\RunOnce: [sdkmk.exe] C:\WINDOWS\system32\sdkmk.exe
O4 - HKLM\..\RunOnce: [netqo.exe] C:\WINDOWS\system32\netqo.exe
O4 - HKLM\..\RunOnce: [d3gl32.exe] C:\WINDOWS\d3gl32.exe
O4 - HKLM\..\RunOnce: [sysws.exe] C:\WINDOWS\sysws.exe
O4 - HKLM\..\RunOnce: [apiuf32.exe] C:\WINDOWS\system32\apiuf32.exe
O4 - HKLM\..\RunOnce: [netnz32.exe] C:\WINDOWS\netnz32.exe
O4 - HKLM\..\RunOnce: [addkv32.exe] C:\WINDOWS\addkv32.exe
O4

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:39 PM

Posted 08 August 2005 - 12:25 PM

Hello jerrybeav and welcome to the BC malware forum. The log that is posted is missing quite a bit of information. Because it is so long it might take more than 1 post to get all of the information in but without it we cannot see everything that is going on in the machine.

Please repost the log and take not of where it gets cut off. Post additional replies as needed to get the entire log into the thread.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 jerrybeav

jerrybeav
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 08 August 2005 - 06:30 PM

Please do not start multiple topics when you have a topic that is already open. It only creates additional work for the volunteers here when multiple people are reviewing the same log when they could be helping other users who require assistance.

This post will be merged with the original topic that is already open.

OT 8/10/2005



Hello, I hope someone can help.
I have adaware,spybot,norton,etc...But I keep getting a popup from windows saying malicious programs detected...blaw blaw.... can steal bank numbers. I clean my cpu daily and it wont go away...Can someone please take a look at my log and see if you can see anything that may cause this or shouldn't be there.

Thank you


Frustrated User


Logfile of HijackThis v1.99.1
Scan saved at 7:23:34 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe
C:\WINDOWS\d3yl32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4008C656-FF3C-2255-1708-8543B85E668E} - C:\WINDOWS\javaxc.dll
O2 - BHO: Class - {6763EDCB-2C49-F4B4-713C-E8F6A5E7D81E} - C:\WINDOWS\wineu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DA607F98-7426-F515-81BC-B6FAA2D7AE86} - C:\WINDOWS\msuz32.dll
O2 - BHO: Class - {FF816CED-BF5F-39A8-D260-D4DAA38A5370} - C:\WINDOWS\system32\netsn32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [d3yl32.exe] C:\WINDOWS\d3yl32.exe
O4 - HKLM\..\Run: [SpyBlock] "C:\Program Files\Spyblock\Spyblock.exe" -tr
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [addge32.exe] C:\WINDOWS\system32\addge32.exe
O4 - HKLM\..\RunOnce: [addje32.exe] C:\WINDOWS\system32\addje32.exe
O4 - HKLM\..\RunOnce: [iezr32.exe] C:\WINDOWS\system32\iezr32.exe
O4 - HKLM\..\RunOnce: [sysws.exe] C:\WINDOWS\system32\sysws.exe
O4 - HKLM\..\RunOnce: [ielh.exe] C:\WINDOWS\ielh.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm411YYCA
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\addge32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by OldTimer, 10 August 2005 - 11:24 AM.


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:39 PM

Posted 10 August 2005 - 11:40 AM

Hi jerrybeav. It appears that some cleanup has been performed on this machine. Since I do not know what was done I can only work with the information that is now available.

Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CCleaner and install it but do not run it yet.

Now we need to remove a service.

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the Network Security Service (NSS) service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete 11F#`I
  • Close the Command Prompt window
Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pzdfa.dll/sp.html#14044
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4008C656-FF3C-2255-1708-8543B85E668E} - C:\WINDOWS\javaxc.dll
O2 - BHO: Class - {6763EDCB-2C49-F4B4-713C-E8F6A5E7D81E} - C:\WINDOWS\wineu.dll
O2 - BHO: Class - {DA607F98-7426-F515-81BC-B6FAA2D7AE86} - C:\WINDOWS\msuz32.dll
O2 - BHO: Class - {FF816CED-BF5F-39A8-D260-D4DAA38A5370} - C:\WINDOWS\system32\netsn32.dll
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [d3yl32.exe] C:\WINDOWS\d3yl32.exe
O4 - HKLM\..\RunOnce: [addge32.exe] C:\WINDOWS\system32\addge32.exe
O4 - HKLM\..\RunOnce: [addje32.exe] C:\WINDOWS\system32\addje32.exe
O4 - HKLM\..\RunOnce: [iezr32.exe] C:\WINDOWS\system32\iezr32.exe
O4 - HKLM\..\RunOnce: [sysws.exe] C:\WINDOWS\system32\sysws.exe
O4 - HKLM\..\RunOnce: [ielh.exe] C:\WINDOWS\ielh.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm411YYCA
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\addge32.exe
C:\WINDOWS\system32\pzdfa.dll
C:\WINDOWS\system32\netsn32.dll
C:\WINDOWS\system32\addje32.exe
C:\WINDOWS\system32\iezr32.exe
C:\WINDOWS\system32\sysws.exe
C:\WINDOWS\javaxc.dll
C:\WINDOWS\wineu.dll
C:\WINDOWS\msuz32.dll
C:\WINDOWS\d3yl32.exe
C:\WINDOWS\ielh.exe
C:\WINDOWS\Temp\WTuninst.exe
C:\Program Files\PartyPoker\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #8

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 jerrybeav

jerrybeav
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 13 August 2005 - 04:26 PM

I couldn't find all of the lines you mentioned...but deleted the ones i could find. It also wouldn't let me remove the service.. here is my log now.

Logfile of HijackThis v1.99.1
Scan saved at 5:24:17 PM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\apile.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rxoen.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {16D93A20-4593-E7A7-4A6A-2D8F46FA9784} - C:\WINDOWS\ipzm32.dll
O2 - BHO: Class - {32D481BA-7CF2-3434-A0CE-1686F9FF5DD9} - C:\WINDOWS\atlen32.dll
O2 - BHO: Class - {4AD1D7DD-5E68-FF69-B9D7-6A0790685425} - C:\WINDOWS\system32\mfcjd.dll
O2 - BHO: Class - {8D1B8200-45A1-2D24-646B-74ECF013AF0B} - C:\WINDOWS\system32\ipdn.dll
O2 - BHO: Class - {A26538B0-8F5F-F0E6-7B55-44FA9E707CF1} - C:\WINDOWS\apino.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C516B337-4790-1C2D-E70B-A3EC67307C3E} - C:\WINDOWS\system32\mszg32.dll
O2 - BHO: Class - {DB309419-3C5C-375B-8765-4F2EE5877F1F} - C:\WINDOWS\apphv32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [apile.exe] C:\WINDOWS\system32\apile.exe
O4 - HKLM\..\RunOnce: [ipof.exe] C:\WINDOWS\ipof.exe
O4 - HKLM\..\RunOnce: [javawn.exe] C:\WINDOWS\javawn.exe
O4 - HKLM\..\RunOnce: [addkm.exe] C:\WINDOWS\addkm.exe
O4 - HKLM\..\RunOnce: [addjb32.exe] C:\WINDOWS\addjb32.exe
O4 - HKLM\..\RunOnce: [ntsh.exe] C:\WINDOWS\ntsh.exe
O4 - HKLM\..\RunOnce: [mswr.exe] C:\WINDOWS\mswr.exe
O4 - HKLM\..\RunOnce: [ipzw.exe] C:\WINDOWS\system32\ipzw.exe
O4 - HKLM\..\RunOnce: [sysug.exe] C:\WINDOWS\system32\sysug.exe
O4 - HKLM\..\RunOnce: [ntzp.exe] C:\WINDOWS\ntzp.exe
O4 - HKLM\..\RunOnce: [atldx32.exe] C:\WINDOWS\atldx32.exe
O4 - HKLM\..\RunOnce: [netcd.exe] C:\WINDOWS\system32\netcd.exe
O4 - HKLM\..\RunOnce: [mfcmj.exe] C:\WINDOWS\mfcmj.exe
O4 - HKLM\..\RunOnce: [ntwc32.exe] C:\WINDOWS\system32\ntwc32.exe
O4 - HKLM\..\RunOnce: [atlpb32.exe] C:\WINDOWS\atlpb32.exe
O4 - HKLM\..\RunOnce: [atley32.exe] C:\WINDOWS\system32\atley32.exe
O4 - HKLM\..\RunOnce: [sysjx32.exe] C:\WINDOWS\system32\sysjx32.exe
O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\addsh.exe
O4 - HKLM\..\RunOnce: [ipvr.exe] C:\WINDOWS\ipvr.exe
O4 - HKLM\..\RunOnce: [appug32.exe] C:\WINDOWS\appug32.exe
O4 - HKLM\..\RunOnce: [ntsj32.exe] C:\WINDOWS\system32\ntsj32.exe
O4 - HKLM\..\RunOnce: [ntvl32.exe] C:\WINDOWS\system32\ntvl32.exe
O4 - HKLM\..\RunOnce: [apppk.exe] C:\WINDOWS\apppk.exe
O4 - HKLM\..\RunOnce: [addsw.exe] C:\WINDOWS\system32\addsw.exe
O4 - HKLM\..\RunOnce: [ntbc32.exe] C:\WINDOWS\ntbc32.exe
O4 - HKLM\..\RunOnce: [sdkmv.exe] C:\WINDOWS\system32\sdkmv.exe
O4 - HKLM\..\RunOnce: [sysec32.exe] C:\WINDOWS\system32\sysec32.exe
O4 - HKLM\..\RunOnce: [ntes32.exe] C:\WINDOWS\ntes32.exe
O4 - HKLM\..\RunOnce: [apikn32.exe] C:\WINDOWS\system32\apikn32.exe
O4 - HKLM\..\RunOnce: [ntst.exe] C:\WINDOWS\ntst.exe
O4 - HKLM\..\RunOnce: [mfcrg.exe] C:\WINDOWS\system32\mfcrg.exe
O4 - HKLM\..\RunOnce: [javagl32.exe] C:\WINDOWS\javagl32.exe
O4 - HKLM\..\RunOnce: [crot.exe] C:\WINDOWS\crot.exe
O4 - HKLM\..\RunOnce: [javaou.exe] C:\WINDOWS\system32\javaou.exe
O4 - HKLM\..\RunOnce: [syser32.exe] C:\WINDOWS\syser32.exe
O4 - HKLM\..\RunOnce: [sdksl32.exe] C:\WINDOWS\system32\sdksl32.exe
O4 - HKLM\..\RunOnce: [iehj.exe] C:\WINDOWS\iehj.exe
O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
O4 - HKLM\..\RunOnce: [msls32.exe] C:\WINDOWS\system32\msls32.exe
O4 - HKLM\..\RunOnce: [ipuz32.exe] C:\WINDOWS\ipuz32.exe
O4 - HKLM\..\RunOnce: [javafs32.exe] C:\WINDOWS\javafs32.exe
O4 - HKLM\..\RunOnce: [mszg32.exe] C:\WINDOWS\system32\mszg32.exe
O4 - HKLM\..\RunOnce: [ntdd32.exe] C:\WINDOWS\system32\ntdd32.exe
O4 - HKLM\..\RunOnce: [atlfk.exe] C:\WINDOWS\system32\atlfk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:39 PM

Posted 13 August 2005 - 07:08 PM

Hi jerrybeav. Ok, the service is gone so that is good but we still have some work to do here. Please print these directions and then proceed with the following steps in order.

Download the Pocket Killbox and unzip the contents of KillBox.zip to your desktop.
  • Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\ipof.exe
      C:\WINDOWS\javawn.exe
      C:\WINDOWS\addkm.exe
      C:\WINDOWS\addjb32.exe
      C:\WINDOWS\ntsh.exe
      C:\WINDOWS\mswr.exe
      C:\WINDOWS\system32\ipzw.exe
      C:\WINDOWS\system32\sysug.exe
      C:\WINDOWS\ntzp.exe
      C:\WINDOWS\atldx32.exe
      C:\WINDOWS\system32\netcd.exe
      C:\WINDOWS\mfcmj.exe
      C:\WINDOWS\system32\ntwc32.exe
      C:\WINDOWS\atlpb32.exe
      C:\WINDOWS\system32\atley32.exe
      C:\WINDOWS\system32\sysjx32.exe
      C:\WINDOWS\addsh.exe
      C:\WINDOWS\ipvr.exe
      C:\WINDOWS\appug32.exe
      C:\WINDOWS\system32\ntsj32.exe
      C:\WINDOWS\system32\ntvl32.exe
      C:\WINDOWS\apppk.exe
      C:\WINDOWS\system32\addsw.exe
      C:\WINDOWS\ntbc32.exe
      C:\WINDOWS\system32\sdkmv.exe
      C:\WINDOWS\system32\sysec32.exe
      C:\WINDOWS\ntes32.exe
      C:\WINDOWS\system32\apikn32.exe
      C:\WINDOWS\ntst.exe
      C:\WINDOWS\system32\mfcrg.exe
      C:\WINDOWS\javagl32.exe
      C:\WINDOWS\crot.exe
      C:\WINDOWS\system32\javaou.exe
      C:\WINDOWS\syser32.exe
      C:\WINDOWS\system32\sdksl32.exe
      C:\WINDOWS\iehj.exe
      C:\WINDOWS\appab32.exe
      C:\WINDOWS\system32\msls32.exe
      C:\WINDOWS\ipuz32.exe
      C:\WINDOWS\javafs32.exe
      C:\WINDOWS\system32\mszg32.exe
      C:\WINDOWS\system32\ntdd32.exe
      C:\WINDOWS\system32\atlfk.exe
      C:\WINDOWS\rxoen.dll
      C:\WINDOWS\ipzm32.dll
      C:\WINDOWS\atlen32.dll
      C:\WINDOWS\system32\mfcjd.dll
      C:\WINDOWS\system32\ipdn.dll
      C:\WINDOWS\apino.dll
      C:\WINDOWS\system32\mszg32.dll
      C:\WINDOWS\apphv32.dll
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • After the system reboots, start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rxoen.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {16D93A20-4593-E7A7-4A6A-2D8F46FA9784} - C:\WINDOWS\ipzm32.dll
    O2 - BHO: Class - {32D481BA-7CF2-3434-A0CE-1686F9FF5DD9} - C:\WINDOWS\atlen32.dll
    O2 - BHO: Class - {4AD1D7DD-5E68-FF69-B9D7-6A0790685425} - C:\WINDOWS\system32\mfcjd.dll
    O2 - BHO: Class - {8D1B8200-45A1-2D24-646B-74ECF013AF0B} - C:\WINDOWS\system32\ipdn.dll
    O2 - BHO: Class - {A26538B0-8F5F-F0E6-7B55-44FA9E707CF1} - C:\WINDOWS\apino.dll
    O2 - BHO: Class - {C516B337-4790-1C2D-E70B-A3EC67307C3E} - C:\WINDOWS\system32\mszg32.dll
    O2 - BHO: Class - {DB309419-3C5C-375B-8765-4F2EE5877F1F} - C:\WINDOWS\apphv32.dll
    O4 - HKLM\..\Run: [apile.exe] C:\WINDOWS\system32\apile.exe
    O4 - HKLM\..\RunOnce: [ipof.exe] C:\WINDOWS\ipof.exe
    O4 - HKLM\..\RunOnce: [javawn.exe] C:\WINDOWS\javawn.exe
    O4 - HKLM\..\RunOnce: [addkm.exe] C:\WINDOWS\addkm.exe
    O4 - HKLM\..\RunOnce: [addjb32.exe] C:\WINDOWS\addjb32.exe
    O4 - HKLM\..\RunOnce: [ntsh.exe] C:\WINDOWS\ntsh.exe
    O4 - HKLM\..\RunOnce: [mswr.exe] C:\WINDOWS\mswr.exe
    O4 - HKLM\..\RunOnce: [ipzw.exe] C:\WINDOWS\system32\ipzw.exe
    O4 - HKLM\..\RunOnce: [sysug.exe] C:\WINDOWS\system32\sysug.exe
    O4 - HKLM\..\RunOnce: [ntzp.exe] C:\WINDOWS\ntzp.exe
    O4 - HKLM\..\RunOnce: [atldx32.exe] C:\WINDOWS\atldx32.exe
    O4 - HKLM\..\RunOnce: [netcd.exe] C:\WINDOWS\system32\netcd.exe
    O4 - HKLM\..\RunOnce: [mfcmj.exe] C:\WINDOWS\mfcmj.exe
    O4 - HKLM\..\RunOnce: [ntwc32.exe] C:\WINDOWS\system32\ntwc32.exe
    O4 - HKLM\..\RunOnce: [atlpb32.exe] C:\WINDOWS\atlpb32.exe
    O4 - HKLM\..\RunOnce: [atley32.exe] C:\WINDOWS\system32\atley32.exe
    O4 - HKLM\..\RunOnce: [sysjx32.exe] C:\WINDOWS\system32\sysjx32.exe
    O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\addsh.exe
    O4 - HKLM\..\RunOnce: [ipvr.exe] C:\WINDOWS\ipvr.exe
    O4 - HKLM\..\RunOnce: [appug32.exe] C:\WINDOWS\appug32.exe
    O4 - HKLM\..\RunOnce: [ntsj32.exe] C:\WINDOWS\system32\ntsj32.exe
    O4 - HKLM\..\RunOnce: [ntvl32.exe] C:\WINDOWS\system32\ntvl32.exe
    O4 - HKLM\..\RunOnce: [apppk.exe] C:\WINDOWS\apppk.exe
    O4 - HKLM\..\RunOnce: [addsw.exe] C:\WINDOWS\system32\addsw.exe
    O4 - HKLM\..\RunOnce: [ntbc32.exe] C:\WINDOWS\ntbc32.exe
    O4 - HKLM\..\RunOnce: [sdkmv.exe] C:\WINDOWS\system32\sdkmv.exe
    O4 - HKLM\..\RunOnce: [sysec32.exe] C:\WINDOWS\system32\sysec32.exe
    O4 - HKLM\..\RunOnce: [ntes32.exe] C:\WINDOWS\ntes32.exe
    O4 - HKLM\..\RunOnce: [apikn32.exe] C:\WINDOWS\system32\apikn32.exe
    O4 - HKLM\..\RunOnce: [ntst.exe] C:\WINDOWS\ntst.exe
    O4 - HKLM\..\RunOnce: [mfcrg.exe] C:\WINDOWS\system32\mfcrg.exe
    O4 - HKLM\..\RunOnce: [javagl32.exe] C:\WINDOWS\javagl32.exe
    O4 - HKLM\..\RunOnce: [crot.exe] C:\WINDOWS\crot.exe
    O4 - HKLM\..\RunOnce: [javaou.exe] C:\WINDOWS\system32\javaou.exe
    O4 - HKLM\..\RunOnce: [syser32.exe] C:\WINDOWS\syser32.exe
    O4 - HKLM\..\RunOnce: [sdksl32.exe] C:\WINDOWS\system32\sdksl32.exe
    O4 - HKLM\..\RunOnce: [iehj.exe] C:\WINDOWS\iehj.exe
    O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
    O4 - HKLM\..\RunOnce: [msls32.exe] C:\WINDOWS\system32\msls32.exe
    O4 - HKLM\..\RunOnce: [ipuz32.exe] C:\WINDOWS\ipuz32.exe
    O4 - HKLM\..\RunOnce: [javafs32.exe] C:\WINDOWS\javafs32.exe
    O4 - HKLM\..\RunOnce: [mszg32.exe] C:\WINDOWS\system32\mszg32.exe
    O4 - HKLM\..\RunOnce: [ntdd32.exe] C:\WINDOWS\system32\ntdd32.exe
    O4 - HKLM\..\RunOnce: [atlfk.exe] C:\WINDOWS\system32\atlfk.exe
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Re-run CWS Shredder
  • Re-run AdAware SE
  • Reboot and post a new HijackThis log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 jerrybeav

jerrybeav
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 14 August 2005 - 03:50 PM

Hey, I deleted all the files I could find but alot of the .dll's you listed weren't found. I also noticed in the log that the NSS service(file missing) is listed below that i was told to delete??
Also on startup I am getting a missing file error for c:windows/ipof.exe and a found new hardware for HTTP SSL??? As of so far I haven't seen that firewall popup which is a good sign.

Thanks for the help so far! You guys do a great job!
Logfile of HijackThis v1.99.1

Scan saved at 4:36:33 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\iehf32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\iehf32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:39 PM

Posted 15 August 2005 - 11:35 AM

Hi jerrybeav. Yup, it's back again so let's remove it again.C:\WINDOWS\iehf32.exe
Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the <service description> service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete 11F#`I
  • Close the Command Prompt window
Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\iehf32.exe
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 jerrybeav

jerrybeav
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 15 August 2005 - 05:28 PM

Hello again, well I didnt find the file C:\WINDOWS\iehf32.exe but I found the same file in the \system32 folder.Is this the same??
The service NSS was not listed in the services.msc and when i opened the cmd prompt, it said service not installed or something like that.
You also said to use the kill process function in HJT but you listed no process.
And 1 last question.Do you know why a found new hardware window(asks to search for update) for 'HTTP SSL' pops up on reboot?

Thanks, Jerry

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Jeremy\My Documents\My Programs\SpyDoc\Spyware Doctor\swdoctor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeremy\My Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\DOCUME~1\Jeremy\MYDOCU~1\MYPROG~1\SpyDoc\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\DOCUME~1\Jeremy\MYDOCU~1\MYPROG~1\SpyDoc\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Documents and Settings\Jeremy\My Documents\My Programs\SpyDoc\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\DOCUME~1\Jeremy\MYDOCU~1\MYPROG~1\SpyDoc\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:39 PM

Posted 15 August 2005 - 07:52 PM

Hi jerrybeav. That is clean. Good job! The Http SSl service is for Secure Socket Layers used on secure websites. You can checck the service in the services.msc to make sure that it is enabled and set to automatic. If there is a problem with turning it on then you should go the the Windows Update site and install all available Critical Updates. It might have been disabled or damaged by the infection.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good anti-virus, and you should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users