Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help with hijack this log


  • This topic is locked This topic is locked
11 replies to this topic

#1 epiphannyy

epiphannyy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 11 September 2005 - 05:08 PM

I was infected with trojan.istsvc from a website I visited yesterday. Since then I have been trying to locate this file and delete it, but it seems to be hidden on my system somewhere. Somone I know suggested I run HijackThis and post the log to see if maybe it could help with this problem. The virus seems to have hidden itself well because no registry keys are showing and the file does not show up on a scan..however my nortons did give me a warning saying it detected an infection and that access to the file was denied. Not sure if this program will help in fixing this problem, but I've tried about everything else I can think of so here's my log. ANY help would be greatly appreciated.

Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 5:26:16 PM, on

9/11/2005
Platform: Windows XP SP2

(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00

SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32

\winlogon.exe
C:\WINDOWS\system32

\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32

\svchost.exe
C:\WINDOWS\system32

\svchost.exe
C:\WINDOWS\System32

\svchost.exe
C:\Program

Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32

\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.ex

e
C:\Program Files\USB Storage

RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32

\CTHELPER.EXE
C:\Saga\Super Popup

Blocker\popkill.exe
C:\Program Files\Common

Files\Symantec

Shared\ccApp.exe
C:\WINDOWS\system32

\spool\drivers\w32x86\3

\hpztsb07.exe
C:\WINDOWS\system32

\LVCOMSX.EXE
C:\PROGRA~1\COMMON~1

\AOL\AOLSPY~1\AOLSP

Scheduler.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1

\AOL\ACS\AOLacsd.exe
C:\Program Files\Common

Files\Symantec

Shared\ccSetMgr.exe
C:\WINDOWS\System32

\CTsvcCDA.exe
C:\Program Files\Common

Files\Command

Software\dvpapi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\NORTON~2

\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton

SystemWorks\Norton

Antivirus\navapsvc.exe
C:\Program Files\Norton

SystemWorks\Norton

Utilities\SYSDOC32.EXE
C:\Program Files\Plasmatek

Software\ProtectX\protectx.ex

e
C:\PROGRA~1\NORTON~2

\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32

\nvsvc32.exe
C:\Program Files\Norton

SystemWorks\Norton

Antivirus\SAVScan.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpoevm08.exe
C:\PROGRA~1\NORTON~2

\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32

\svchost.exe
C:\Program Files\Common

Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32

\MsPMSPSv.exe
C:\Program Files\Common

Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Common

Files\Symantec

Shared\Security

Center\SymWSC.exe
C:\WINDOWS\system32

\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32

\HPZipm12.exe
C:\Program Files\America

Online 9.0c\waol.exe
C:\Program Files\America

Online 9.0c\shellmon.exe
C:\Program Files\Common

Files\Aol\aoltpspd.exe
C:\Program Files\Paltalk

Messenger\paltalk.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1

\LOCALS~1\Temp\Temporary

Directory 1 for

HijackThis.zip\HijackThis.exe
C:\Program

Files\Messenger\msmsgs.exe

R1 -

HKLM\Software\Microsoft\Inter

net Explorer\Main,Search Bar

=

http://rd.yahoo.com/customize

/ymsgr/defaults/sb/*http://ww

w.yahoo.com/ext/search/search

.html
R0 -

HKCU\Software\Microsoft\Inter

net Explorer\Main,Local Page

=
O2 - BHO: AcroIEHlprObj Class

- {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program

Files\Yahoo!

\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class

- {65D886A2-7CA7-479B-BB95-

14D1EFB7946A} - C:\Program

Files\Yahoo!

\Common\YIeTagBm.dll
O2 - BHO: HTML Source Editor

- {85810C93-C14C-11D5-BC4B-

0050BA28E4FE} -

C:\WINDOWS\System32

\popkill.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-

FADC6B084872} - C:\Program

Files\Norton

SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: hp toolkit -

{B2847E28-5D7D-4DEB-8B67-

05D28BCF79F5} -

C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo!

Companion - {EF99BD32-C1FB-

11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!

\Common\ycomp5_0_2_6.dll
O3 - Toolbar: Norton

AntiVirus - {42CDD1BF-3FFB-

4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton

SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: AIM Search -

{40D41A8B-D79B-43d7-99A7-

9EE0F344C385} - C:\Program

Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ehTray]

C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv]

c:\windows\system\hpsysdrv.ex

e
O4 - HKLM\..\Run:

[NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run:

[ShowIcon_KYE Electronics

Corp._USB Storage R/W

v1.14e057] "C:\Program

Files\USB Storage

RW\shwicon.exe" -t"KYE

Electronics Corp.\USB Storage

R/W v1.14e057"
O4 - HKLM\..\Run: [KBD]

C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]

C:\WINDOWS\SMINST\RECGUARD.EX

E
O4 - HKLM\..\Run:

[WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg]

C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet

Detection] "C:\Program

Files\Creative\SBAudigy\PROGR

AM\ADGJDet.exe"
O4 - HKLM\..\Run: [Super

Popup Blocker] C:\Saga\Super

Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [ccApp]

"C:\Program Files\Common

Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ

Taskbar Utility]

C:\WINDOWS\system32

\spool\drivers\w32x86\3

\hpztsb07.exe
O4 - HKLM\..\Run: [LVCOMSX]

C:\WINDOWS\system32

\LVCOMSX.EXE
O4 - HKLM\..\Run:

[SmcService] C:\PROGRA~1

\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec

NetDriver Monitor]

C:\PROGRA~1\SYMNET~1

\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AOL

Spyware Protection]

C:\PROGRA~1\COMMON~1

\AOL\AOLSPY~1\AOLSP

Scheduler.exe
O4 - HKLM\..\Run: [QD

FastAndSafe] C:\Program

Files\Norton

SystemWorks\Norton

CleanSweep\QDCSFS.exe

/scheduler
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\B

inaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather]

C:\PROGRA~1\AWS\WEATHE~1

\Weather.exe 1
O4 - Startup: Norton System

Doctor.LNK = C:\Program

Files\Norton

SystemWorks\Norton

Utilities\SYSDOC32.EXE
O4 - Startup: ProtectX Hacker

Defence Suite.lnk =

C:\Program Files\Plasmatek

Software\ProtectX\protectx.ex

e
O4 - Global Startup: Adobe

Gamma Loader.lnk = C:\Program

Files\Common

Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe

Reader Speed Launch.lnk =

C:\Program

Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: hp psc

1000 series.lnk = ?
O4 - Global Startup:

hpoddt01.exe.lnk = ?
O8 - Extra context menu item:

&AIM Search -

res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.

htm
O8 - Extra context menu item:

&AOL Toolbar search -

res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HT

ML
O8 - Extra context menu item:

&Yahoo! Search -

file:///C:\Program

Files\Yahoo!

\Common/ycsrch.htm
O8 - Extra context menu item:

Yahoo! &Dictionary -

file:///C:\Program

Files\Yahoo!

\Common/ycdict.htm
O8 - Extra context menu item:

Yahoo! &Maps -

file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item:

Yahoo! &SMS -

file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name)

- {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.5.0_01

\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem:

Sun Java Console - {08B0E5C0

-4FCB-11CF-AAA5-00401C608501}

- C:\Program

Files\Java\jre1.5.0_01

\bin\npjpi150_01.dll
O9 - Extra button: Yahoo!

Services - {5BAB4B5B-68BC-

4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!

\Common\yiesrvc.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-

00B0D0A1DE45} - C:\PROGRA~1

\AIM\aim.exe
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} -

C:\WINDOWS\system32

\Shdocvw.dll
O9 - Extra button: Messenger

- {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem:

Windows Messenger -

{FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: Ali Baba Slots TM

by pogo -

http://slots02.pogo.com/apple

t/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo

-

http://gammon.pogo.com/applet

-

6.0.1.28/backgammon/backgammo

n-ob-assets.cab
O16 - DPF: Buckaroo Blackjack

TM by pogo -

http://vbjack.pogo.com/applet

-

5.8.3.20/videoblackjack/video

blackjack-ob-assets.cab
O16 - DPF: Checkers by pogo -

http://checkers.pogo.com/appl

et-

5.8.2.19/checkers2/checkers-

ob-assets.cab
O16 - DPF: Cribbage by pogo -

http://crib.pogo.com/applet/c

ribbage/cribbage-ob-

assets.cab
O16 - DPF: Dice Derby by pogo

-

http://checkeredflag.pogo.com

/applet/checkeredflag/checker

edflag-ob-assets.cab
O16 - DPF: Dice Derby by

pogo.com -

http://checkeredflag.pogo.com

/applet/checkeredflag/checker

edflag-ob-assets.cab
O16 - DPF: Dominoes by pogo -

http://domino.pogo.com/applet

-5.8.5.21/domino/domino-ob-

assets.cab
O16 - DPF: Dominoes by

pogo.com -

http://temp22.pogo.com/applet

/domino/domino-ob-assets.cab
O16 - DPF: Double Deuce Poker

by pogo -

http://doublebonus.pogo.com/a

pplet/videopoker2/doubledeuce

-ob-assets.cab
O16 - DPF: Euchre by pogo -

http://euchre.pogo.com/applet

-5.8.3.26/euchre/euchre-ob-

assets.cab
O16 - DPF: First Class

Solitaire by pogo -

http://solitaire14.pogo.com/a

pplet/solitaire2/solitaire2-

ob-assets.cab
O16 - DPF: Fortune Bingo by

pogo -

http://superbingo.pogo.com/ap

plet-

5.8.4.18/superbingo/superbing

o-ob-assets.cab
O16 - DPF: Greenback Bayou by

pogo -

http://greenback.pogo.com/app

let-

5.8.3.20/greenback/greenback

-ob-assets.cab
O16 - DPF: Greenback Bayou by

pogo.com -

http://greenback.pogo.com/app

let/greenback/greenback-ob-

assets.cab
O16 - DPF: High Stakes Poker

by pogo -

http://game5.pogo.com/applet

-

6.0.4.37/drawpoker/drawpoker

-ob-assets.cab
O16 - DPF: High Stakes Pool

by pogo -

http://pool2.pogo.com/applet

-5.8.6.20/pool2/pool-ob-

assets.cab
O16 - DPF: Jokers Wild Poker

by pogo -

http://vpjoke02.pogo.com/appl

et/videopoker2/jokerswild-ob

-assets.cab
O16 - DPF: Jungle Gin by pogo

- http://gin.pogo.com/applet

-6.0.4.31/gin/gin-ob-

assets.cab
O16 - DPF: Jungle Gin by

pogo.com -

http://gin.pogo.com/applet/gi

n/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by

pogo -

http://game4.pogo.com/applet

-6.0.3.35/mahjong/mahjong-ob

-assets.cab
O16 - DPF: Payday FreeCell by

pogo -

http://freecell.pogo.com/appl

et-

5.8.4.24/freecell/freecell-

ob-assets.cab
O16 - DPF: Payday FreeCell by

pogo.com -

http://temp36.pogo.com/applet

/freecell/freecell-ob-

assets.cab
O16 - DPF: Phlinx by pogo -

http://game4.pogo.com/applet

-6.0.4.31/flinger/flinger-ob

-assets.cab
O16 - DPF: Pirate's Gold by

pogo -

http://solitaire03.pogo.com/a

pplet-

5.8.3.26/piratesgold/piratesg

old-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://popfu.pogo.com/applet/

popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com

-

http://popfu.pogo.com/applet/

popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo

-

http://game6.pogo.com/applet

-5.9.3.38/poppit/poppit-ob-

assets.cab
O16 - DPF: Poppit! TM by

pogo.com -

http://poppit02.pogo.com/appl

et/poppit/poppit-ob-

assets.cab
O16 - DPF: SciFi Slots by

pogo -

http://scifi.pogo.com/applet/

slots/scifi-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by

pogo.com -

http://temp35.pogo.com/applet

/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by

pogo -

http://showbiz.pogo.com/apple

t-5.8.1.28/slots/showbiz-ob-

assets.cab
O16 - DPF: Spades by pogo.com

-

http://temp35.pogo.com/applet

/spades/spades-ob-assets.cab
O16 - DPF: Squelchies by pogo

-

http://squelchies.pogo.com/ap

plet-

5.9.1.18/squelchies/squelchie

s-ob-assets.cab
O16 - DPF: Squelchies by

pogo.com -

http://squelchies.pogo.com/ap

plet/squelchies/squelchies-

ob-assets.cab
O16 - DPF: Sweet Tooth TM by

pogo -

http://sweettooth.pogo.com/ap

plet-

6.0.1.20/sweettooth/sweettoot

h-ob-assets.cab
O16 - DPF: Sweet Tooth TM by

pogo.com -

http://sweet06.pogo.com/apple

t/sweettooth/sweettooth-ob-

assets.cab
O16 - DPF: Texas Hold'em

Poker by pogo -

http://game2.pogo.com/applet

-5.8.2.19/holdem/holdem-ob-

assets.cab
O16 - DPF: The Sims Pinball

by pogo -

http://simball02.pogo.com/app

let-5.8.2.19/simball/simball

-ob-assets.cab
O16 - DPF: The Sims Pinball

by pogo.com -

http://simball02.pogo.com/app

let/simball/simball-ob-

assets.cab
O16 - DPF: Tri-Peaks by pogo

-

http://game4.pogo.com/applet

-6.0.4.37/peaks/peaks-ob-

assets.cab
O16 - DPF: Tumble Bees by

pogo -

http://jumbee.pogo.com/applet

-5.8.2.19/jumbee/jumbee-ob-

assets.cab
O16 - DPF: Turbo 21 TM by

pogo -

http://game5.pogo.com/applet

-5.8.6.20/turbo21/turbo21-ob

-assets.cab
O16 - DPF: Word Whomp by pogo

-

http://whomp.pogo.com/applet

-

5.8.2.19/wordwhomp/wordwhomp

-ob-assets.cab
O16 - DPF: Word Whomp by

pogo.com -

http://whomp.pogo.com/applet/

wordwhomp/wordwhomp-ob-

assets.cab
O16 - DPF: Word Whomp

Whackdown by pogo -

http://whackdown2.pogo.com/ap

plet/whackdown/whackdown-ob-

assets.cab
O16 - DPF: Word Whomp

Whackdown by pogo.com -

http://whackdown.pogo.com/app

let/whackdown/whackdown-ob-

assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.com/appl

et-

6.0.0.25/wordjong/wordjong-

ob-assets.cab
O16 - DPF: World Class

Solitaire by pogo -

http://klondike.pogo.com/appl

et-

5.9.1.28/worldclass/worldclas

s-ob-assets.cab
O16 - DPF: Yahoo! Chat -

http://cs6.chat.sc5.yahoo.com

/c381/chat.cab
O16 - DPF: {01113300-3E00-

11D2-8470-0060089874ED}

(Support.com Configuration

Class) -

http://www.comcastsupport.com

/sdccommon/download/tgctlcm.c

ab
O16 - DPF: {0E5F0222-96B9-

11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop.com/pcpi

tstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-

453E-A040-C7C580BBF700}

(Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlin

k/?linkid=39204
O16 - DPF: {1842B0EE-B597-

11D4-8997-00104BD12D94} (iCC

Class) -

http://www.pcpitstop.com/inte

rnet/pcpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-

11D3-9466-00A0C9700498}

(Yahoo! Audio Conferencing) -

http://cs6.chat.sc5.yahoo.com

/v43/yacscom.cab
O16 - DPF: {30528230-99F7-

4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) -

C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-

4CAC-A755-CFB3C7EE7F40} (AOL

Content Update) -

http://esupport.aol.com/help/

acp2/engine/aolcoach_core_1.c

ab
O16 - DPF: {4A3CF76B-EC7A-

405D-A67D-8DC6B52AB35B}

(QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computer

checkup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-

41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility

Class) -

http://security.symantec.com/

sscv6/SharedContent/common/bi

n/cabsa.cab
O16 - DPF: {7BA7BCE2-D359-

4407-82D9-CDF9A74C487A}

(DownLoadStub Class) -

http://xpupload.hpphoto.com/d

ownloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-

11D2-8E50-002018200E57}

(MrSIDI Control) -

http://images.myfamily.net/is

files/downloads/MrSIDI.cab
O16 - DPF: {917623D1-D8E5-

11D2-BE8B-00104B06BDE3}

(CamImage Class) -

http://66.14.162.81/activex/A

xisCamControl.cab
O16 - DPF: {A17E30C4-A9BA-

11D4-8673-60DB54C10000}

(YahooYMailTo Class) -

http://us.dl1.yimg.com/downlo

ad.yahoo.com/dl/installs/yse/

ymmapi.dll
O16 - DPF: {A1B09066-C95C-

4EF6-8DFD-3DD0AFE610B6} (AOL

YGP Screensaver) -

http://pak02.pictures.aol.com

/ygp/aol/plugin/screensaver/Y

GPPicScreensaver.1.0.2.5.cab
O16 - DPF: {A8739816-022C-

11D6-A85D-00C04F9AEAFB} (Web

Camera Server Control) -

http://209.95.72.188/csi_netc

am.cab
O16 - DPF: {B942A249-D1E7-

4C11-98AE-FCB76B08747F}

(RealArcadeRdxIE Class) -

http://games-

dl.real.com/gameconsole/Bundl

er/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-

11D3-BEBD-00105AA9B6AE}

(Symantec RuFSI Registry

Information Class) -

http://security.symantec.com/

sscv6/SharedContent/common/bi

n/cabsa.cab
O16 - DPF: {C606BA60-AB76-

48B6-96A7-2C4D5C386F70}

(PreQualifier Class) -

file://E:\Bin\html\files\Moti

vePreQual.cab
O16 - DPF: {DF780F87-FF2B-

4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://aol125.pogo.com/game/d

eluxe/zuma/popcaploader_v5.ca

b
O16 - DPF: {EE5CA45C-BFAC-

48E6-BE6C-3C607620FF43} -

http://companion.logitech.com

/companion/logitech/ver1.3.0.

2041/bin/imvid.cab
O17 -

HKLM\System\CCS\Services\Tcpi

p\..\{AB70172C-DCAE-4A11-

A19D-26683E70C336}:

NameServer = 205.188.146.145
O23 - Service: AOL

Connectivity Service (AOL

ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1

\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware

Protection Service

(AOLService) - Unknown owner

- C:\Program Files\Common

Files\AOL\AOL Spyware

Protection\\aolserv.exe
O23 - Service: Symantec Event

Manager (ccEvtMgr) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec

Password Validation

(ccPwdSvc) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec

Settings Manager (ccSetMgr) -

Symantec Corporation -

C:\Program Files\Common

Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Creative

Service for CDROM Access -

Creative Technology Ltd -

C:\WINDOWS\System32

\CTsvcCDA.exe
O23 - Service: DvpApi

(dvpapi) - Command Software

Systems, Inc. - C:\Program

Files\Common Files\Command

Software\dvpapi.exe
O23 - Service:

GhostStartService - Symantec

Corporation - C:\PROGRA~1

\NORTON~2\NORTON~4

\GHOSTS~2.EXE
O23 - Service: Norton

AntiVirus Auto Protect

Service (navapsvc) - Symantec

Corporation - C:\Program

Files\Norton

SystemWorks\Norton

Antivirus\navapsvc.exe
O23 - Service: Norton Unerase

Protection (NProtectService)

- Symantec Corporation -

C:\PROGRA~1\NORTON~2

\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver

Helper Service (NVSvc) -

NVIDIA Corporation -

C:\WINDOWS\System32

\nvsvc32.exe
O23 - Service: Pml Driver

HPZ12 - HP -

C:\WINDOWS\system32

\HPZipm12.exe
O23 - Service: SAVScan -

Symantec Corporation -

C:\Program Files\Norton

SystemWorks\Norton

Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking

Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1

\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate

Personal Firewall

(SmcService) - Sygate

Technologies, Inc. -

C:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: Symantec

Network Drivers Service

(SNDSrvc) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Speed Disk

service - Symantec

Corporation - C:\PROGRA~1

\NORTON~2\NORTON~2\SPEEDD~1

\NOPDB.EXE
O23 - Service: Symantec Core

LC - Symantec Corporation -

C:\Program Files\Common

Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
O23 - Service: SymWMI Service

(SymWSC) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\Security

Center\SymWSC.exe
O23 - Service: WAN Miniport

(ATW) Service

(WANMiniportService) -

America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 14 September 2005 - 08:08 AM

Hello epiphannyy and welcome to the BC HijackThis forum. Let's first try and get a good HijackThis log by following these steps.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 epiphannyy

epiphannyy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 15 September 2005 - 12:27 AM

As requested, here is the file collected after a cold boot. Thanks for your help...

Logfile of HijackThis v1.99.1
Scan saved at 1:20:43 AM, on

9/15/2005
Platform: Windows XP SP2

(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00

SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32

\winlogon.exe
C:\WINDOWS\system32

\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32

\svchost.exe
C:\WINDOWS\system32

\svchost.exe
C:\WINDOWS\System32

\svchost.exe
C:\Program

Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32

\spoolsv.exe
C:\PROGRA~1\COMMON~1

\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
C:\Program Files\Common

Files\Symantec

Shared\ccSetMgr.exe
C:\WINDOWS\System32

\CTsvcCDA.exe
C:\Program Files\Common

Files\Command

Software\dvpapi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\NORTON~2

\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton

SystemWorks\Norton

Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2

\NORTON~2\NPROTECT.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.ex

e
C:\Program Files\USB Storage

RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32

\CTHELPER.EXE
C:\Saga\Super Popup

Blocker\popkill.exe
C:\Program Files\Common

Files\Symantec

Shared\ccApp.exe
C:\WINDOWS\system32

\spool\drivers\w32x86\3

\hpztsb07.exe
C:\WINDOWS\system32

\LVCOMSX.EXE
C:\WINDOWS\System32

\nvsvc32.exe
C:\PROGRA~1\COMMON~1

\AOL\AOLSPY~1\AOLSP

Scheduler.exe
C:\Program Files\Norton

SystemWorks\Norton

Antivirus\SAVScan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1

\avgemc.exe
C:\Program

Files\AWS\WeatherBug\Weather.

exe
C:\PROGRA~1\NORTON~2

\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32

\svchost.exe
C:\Program Files\Common

Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpotdd01.exe
C:\Program Files\Norton

SystemWorks\Norton

Utilities\SYSDOC32.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32

\MsPMSPSv.exe
C:\Program Files\Common

Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-

Packard\Digital

Imaging\bin\hpoevm08.exe
C:\Program Files\Common

Files\Symantec

Shared\Security

Center\SymWSC.exe
C:\WINDOWS\system32

\wuauclt.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32

\wscntfy.exe
C:\WINDOWS\system32

\msiexec.exe
C:\WINDOWS\system32

\HPZipm12.exe
C:\DOCUME~1\ADMINI~1

\LOCALS~1\Temp\Temporary

Directory 1 for

HijackThis.zip\HijackThis.exe

R1 -

HKLM\Software\Microsoft\Inter

net Explorer\Main,Search Bar

=

http://rd.yahoo.com/customize

/ymsgr/defaults/sb/*http://ww

w.yahoo.com/ext/search/search

.html
R0 -

HKCU\Software\Microsoft\Inter

net Explorer\Main,Local Page

=
O2 - BHO: AcroIEHlprObj Class

- {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program

Files\Yahoo!

\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class

- {65D886A2-7CA7-479B-BB95-

14D1EFB7946A} - C:\Program

Files\Yahoo!

\Common\YIeTagBm.dll
O2 - BHO: HTML Source Editor

- {85810C93-C14C-11D5-BC4B-

0050BA28E4FE} -

C:\WINDOWS\System32

\popkill.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-

FADC6B084872} - C:\Program

Files\Norton

SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: hp toolkit -

{B2847E28-5D7D-4DEB-8B67-

05D28BCF79F5} -

C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo!

Companion - {EF99BD32-C1FB-

11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!

\Common\ycomp5_0_2_6.dll
O3 - Toolbar: Norton

AntiVirus - {42CDD1BF-3FFB-

4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton

SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: AIM Search -

{40D41A8B-D79B-43d7-99A7-

9EE0F344C385} - C:\Program

Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ehTray]

C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv]

c:\windows\system\hpsysdrv.ex

e
O4 - HKLM\..\Run:

[NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run:

[ShowIcon_KYE Electronics

Corp._USB Storage R/W

v1.14e057] "C:\Program

Files\USB Storage

RW\shwicon.exe" -t"KYE

Electronics Corp.\USB Storage

R/W v1.14e057"
O4 - HKLM\..\Run: [KBD]

C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]

C:\WINDOWS\SMINST\RECGUARD.EX

E
O4 - HKLM\..\Run:

[WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg]

C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet

Detection] "C:\Program

Files\Creative\SBAudigy\PROGR

AM\ADGJDet.exe"
O4 - HKLM\..\Run: [Super

Popup Blocker] C:\Saga\Super

Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [ccApp]

"C:\Program Files\Common

Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ

Taskbar Utility]

C:\WINDOWS\system32

\spool\drivers\w32x86\3

\hpztsb07.exe
O4 - HKLM\..\Run: [LVCOMSX]

C:\WINDOWS\system32

\LVCOMSX.EXE
O4 - HKLM\..\Run:

[SmcService] C:\PROGRA~1

\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec

NetDriver Monitor]

C:\PROGRA~1\SYMNET~1

\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AOL

Spyware Protection]

C:\PROGRA~1\COMMON~1

\AOL\AOLSPY~1\AOLSP

Scheduler.exe
O4 - HKLM\..\Run: [QD

FastAndSafe] C:\Program

Files\Norton

SystemWorks\Norton

CleanSweep\QDCSFS.exe

/scheduler
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1

\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1

\avgemc.exe
O4 - HKCU\..\Run: [Weather]

C:\Program

Files\AWS\WeatherBug\Weather.

exe 1
O4 - Startup: Norton System

Doctor.LNK = C:\Program

Files\Norton

SystemWorks\Norton

Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe

Gamma Loader.lnk = C:\Program

Files\Common

Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe

Reader Speed Launch.lnk =

C:\Program

Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: hp psc

1000 series.lnk = ?
O4 - Global Startup:

hpoddt01.exe.lnk = ?
O8 - Extra context menu item:

&AIM Search -

res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.

htm
O8 - Extra context menu item:

&AOL Toolbar search -

res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HT

ML
O8 - Extra context menu item:

&Yahoo! Search -

file:///C:\Program

Files\Yahoo!

\Common/ycsrch.htm
O8 - Extra context menu item:

Yahoo! &Dictionary -

file:///C:\Program

Files\Yahoo!

\Common/ycdict.htm
O8 - Extra context menu item:

Yahoo! &Maps -

file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item:

Yahoo! &SMS -

file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name)

- {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.5.0_01

\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem:

Sun Java Console - {08B0E5C0

-4FCB-11CF-AAA5-00401C608501}

- C:\Program

Files\Java\jre1.5.0_01

\bin\npjpi150_01.dll
O9 - Extra button: Yahoo!

Services - {5BAB4B5B-68BC-

4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!

\Common\yiesrvc.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-

00B0D0A1DE45} - C:\PROGRA~1

\AIM\aim.exe
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} -

C:\WINDOWS\system32

\Shdocvw.dll
O9 - Extra button: Messenger

- {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

(file missing)
O9 - Extra 'Tools' menuitem:

Windows Messenger -

{FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

(file missing)
O16 - DPF: Ali Baba Slots TM

by pogo -

http://slots02.pogo.com/apple

t/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo

-

http://gammon.pogo.com/applet

-

6.0.1.28/backgammon/backgammo

n-ob-assets.cab
O16 - DPF: Buckaroo Blackjack

TM by pogo -

http://vbjack.pogo.com/applet

-

5.8.3.20/videoblackjack/video

blackjack-ob-assets.cab
O16 - DPF: Checkers by pogo -

http://checkers.pogo.com/appl

et-

5.8.2.19/checkers2/checkers-

ob-assets.cab
O16 - DPF: Cribbage by pogo -

http://crib.pogo.com/applet/c

ribbage/cribbage-ob-

assets.cab
O16 - DPF: Dice Derby by pogo

-

http://checkeredflag.pogo.com

/applet/checkeredflag/checker

edflag-ob-assets.cab
O16 - DPF: Dice Derby by

pogo.com -

http://checkeredflag.pogo.com

/applet/checkeredflag/checker

edflag-ob-assets.cab
O16 - DPF: Dominoes by pogo -

http://domino.pogo.com/applet

-5.8.5.21/domino/domino-ob-

assets.cab
O16 - DPF: Dominoes by

pogo.com -

http://temp22.pogo.com/applet

/domino/domino-ob-assets.cab
O16 - DPF: Double Deuce Poker

by pogo -

http://doublebonus.pogo.com/a

pplet/videopoker2/doubledeuce

-ob-assets.cab
O16 - DPF: Euchre by pogo -

http://euchre.pogo.com/applet

-5.8.3.26/euchre/euchre-ob-

assets.cab
O16 - DPF: First Class

Solitaire by pogo -

http://solitaire14.pogo.com/a

pplet/solitaire2/solitaire2-

ob-assets.cab
O16 - DPF: Fortune Bingo by

pogo -

http://superbingo.pogo.com/ap

plet-

5.8.4.18/superbingo/superbing

o-ob-assets.cab
O16 - DPF: Greenback Bayou by

pogo -

http://greenback.pogo.com/app

let-

5.8.3.20/greenback/greenback

-ob-assets.cab
O16 - DPF: Greenback Bayou by

pogo.com -

http://greenback.pogo.com/app

let/greenback/greenback-ob-

assets.cab
O16 - DPF: High Stakes Poker

by pogo -

http://game5.pogo.com/applet

-

6.0.4.37/drawpoker/drawpoker

-ob-assets.cab
O16 - DPF: High Stakes Pool

by pogo -

http://pool2.pogo.com/applet

-5.8.6.20/pool2/pool-ob-

assets.cab
O16 - DPF: Jokers Wild Poker

by pogo -

http://vpjoke02.pogo.com/appl

et/videopoker2/jokerswild-ob

-assets.cab
O16 - DPF: Jungle Gin by pogo

- http://gin.pogo.com/applet

-6.0.4.31/gin/gin-ob-

assets.cab
O16 - DPF: Jungle Gin by

pogo.com -

http://gin.pogo.com/applet/gi

n/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by

pogo -

http://game4.pogo.com/applet

-6.0.3.35/mahjong/mahjong-ob

-assets.cab
O16 - DPF: Payday FreeCell by

pogo -

http://freecell.pogo.com/appl

et-

5.8.4.24/freecell/freecell-

ob-assets.cab
O16 - DPF: Payday FreeCell by

pogo.com -

http://temp36.pogo.com/applet

/freecell/freecell-ob-

assets.cab
O16 - DPF: Phlinx by pogo -

http://game4.pogo.com/applet

-6.0.4.31/flinger/flinger-ob

-assets.cab
O16 - DPF: Pirate's Gold by

pogo -

http://solitaire03.pogo.com/a

pplet-

5.8.3.26/piratesgold/piratesg

old-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://popfu.pogo.com/applet/

popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com

-

http://popfu.pogo.com/applet/

popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo

-

http://game6.pogo.com/applet

-5.9.3.38/poppit/poppit-ob-

assets.cab
O16 - DPF: Poppit! TM by

pogo.com -

http://poppit02.pogo.com/appl

et/poppit/poppit-ob-

assets.cab
O16 - DPF: SciFi Slots by

pogo -

http://scifi.pogo.com/applet/

slots/scifi-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by

pogo.com -

http://temp35.pogo.com/applet

/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by

pogo -

http://showbiz.pogo.com/apple

t-5.8.1.28/slots/showbiz-ob-

assets.cab
O16 - DPF: Spades by pogo.com

-

http://temp35.pogo.com/applet

/spades/spades-ob-assets.cab
O16 - DPF: Squelchies by pogo

-

http://squelchies.pogo.com/ap

plet-

5.9.1.18/squelchies/squelchie

s-ob-assets.cab
O16 - DPF: Squelchies by

pogo.com -

http://squelchies.pogo.com/ap

plet/squelchies/squelchies-

ob-assets.cab
O16 - DPF: Sweet Tooth TM by

pogo -

http://sweettooth.pogo.com/ap

plet-

6.0.1.20/sweettooth/sweettoot

h-ob-assets.cab
O16 - DPF: Sweet Tooth TM by

pogo.com -

http://sweet06.pogo.com/apple

t/sweettooth/sweettooth-ob-

assets.cab
O16 - DPF: Texas Hold'em

Poker by pogo -

http://game2.pogo.com/applet

-5.8.2.19/holdem/holdem-ob-

assets.cab
O16 - DPF: The Sims Pinball

by pogo -

http://simball02.pogo.com/app

let-5.8.2.19/simball/simball

-ob-assets.cab
O16 - DPF: The Sims Pinball

by pogo.com -

http://simball02.pogo.com/app

let/simball/simball-ob-

assets.cab
O16 - DPF: Tri-Peaks by pogo

-

http://game4.pogo.com/applet

-6.0.4.37/peaks/peaks-ob-

assets.cab
O16 - DPF: Tumble Bees by

pogo -

http://jumbee.pogo.com/applet

-5.8.2.19/jumbee/jumbee-ob-

assets.cab
O16 - DPF: Turbo 21 TM by

pogo -

http://game5.pogo.com/applet

-5.8.6.20/turbo21/turbo21-ob

-assets.cab
O16 - DPF: Word Whomp by pogo

-

http://whomp.pogo.com/applet

-

5.8.2.19/wordwhomp/wordwhomp

-ob-assets.cab
O16 - DPF: Word Whomp by

pogo.com -

http://whomp.pogo.com/applet/

wordwhomp/wordwhomp-ob-

assets.cab
O16 - DPF: Word Whomp

Whackdown by pogo -

http://whackdown2.pogo.com/ap

plet/whackdown/whackdown-ob-

assets.cab
O16 - DPF: Word Whomp

Whackdown by pogo.com -

http://whackdown.pogo.com/app

let/whackdown/whackdown-ob-

assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.com/appl

et-

6.0.0.25/wordjong/wordjong-

ob-assets.cab
O16 - DPF: World Class

Solitaire by pogo -

http://klondike.pogo.com/appl

et-

5.9.1.28/worldclass/worldclas

s-ob-assets.cab
O16 - DPF: Yahoo! Chat -

http://cs6.chat.sc5.yahoo.com

/c381/chat.cab
O16 - DPF: {01113300-3E00-

11D2-8470-0060089874ED}

(Support.com Configuration

Class) -

http://www.comcastsupport.com

/sdccommon/download/tgctlcm.c

ab
O16 - DPF: {04E214E5-63AF-

4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.trendmicro

.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-

11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://pcpitstop.com/pcpitsto

p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-

453E-A040-C7C580BBF700}

(Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlin

k/?linkid=39204
O16 - DPF: {1842B0EE-B597-

11D4-8997-00104BD12D94} (iCC

Class) -

http://www.pcpitstop.com/inte

rnet/pcpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-

11D3-9466-00A0C9700498}

(Yahoo! Audio Conferencing) -

http://cs6.chat.sc5.yahoo.com

/v43/yacscom.cab
O16 - DPF: {30528230-99F7-

4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) -

C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-

4CAC-A755-CFB3C7EE7F40} (AOL

Content Update) -

http://esupport.aol.com/help/

acp2/engine/aolcoach_core_1.c

ab
O16 - DPF: {4A3CF76B-EC7A-

405D-A67D-8DC6B52AB35B}

(QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computer

checkup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-

41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility

Class) -

http://security.symantec.com/

sscv6/SharedContent/common/bi

n/cabsa.cab
O16 - DPF: {7BA7BCE2-D359-

4407-82D9-CDF9A74C487A}

(DownLoadStub Class) -

http://xpupload.hpphoto.com/d

ownloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-

11D2-8E50-002018200E57}

(MrSIDI Control) -

http://images.myfamily.net/is

files/downloads/MrSIDI.cab
O16 - DPF: {917623D1-D8E5-

11D2-BE8B-00104B06BDE3}

(CamImage Class) -

http://66.14.162.81/activex/A

xisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-

4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class)

-

http://www.pandasoftware.com/

activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-

11D4-8673-60DB54C10000}

(YahooYMailTo Class) -

http://us.dl1.yimg.com/downlo

ad.yahoo.com/dl/installs/yse/

ymmapi.dll
O16 - DPF: {A1B09066-C95C-

4EF6-8DFD-3DD0AFE610B6} (AOL

YGP Screensaver) -

http://pak02.pictures.aol.com

/ygp/aol/plugin/screensaver/Y

GPPicScreensaver.1.0.2.5.cab
O16 - DPF: {A8739816-022C-

11D6-A85D-00C04F9AEAFB} (Web

Camera Server Control) -

http://209.95.72.188/csi_netc

am.cab
O16 - DPF: {B942A249-D1E7-

4C11-98AE-FCB76B08747F}

(RealArcadeRdxIE Class) -

http://games-

dl.real.com/gameconsole/Bundl

er/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-

4EC9-BF9D-565BD30C9AE9}

(ASquaredScanForm Element) -

http://www.windowsecurity.com

/trojanscan/axscan.cab
O16 - DPF: {C2FCEF52-ACE9-

11D3-BEBD-00105AA9B6AE}

(Symantec RuFSI Registry

Information Class) -

http://security.symantec.com/

sscv6/SharedContent/common/bi

n/cabsa.cab
O16 - DPF: {C606BA60-AB76-

48B6-96A7-2C4D5C386F70}

(PreQualifier Class) -

file://E:\Bin\html\files\Moti

vePreQual.cab
O16 - DPF: {DF780F87-FF2B-

4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://aol125.pogo.com/game/d

eluxe/zuma/popcaploader_v5.ca

b
O16 - DPF: {EE5CA45C-BFAC-

48E6-BE6C-3C607620FF43} -

http://companion.logitech.com

/companion/logitech/ver1.3.0.

2041/bin/imvid.cab
O23 - Service: AOL

Connectivity Service (AOL

ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1

\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware

Protection Service

(AOLService) - Unknown owner

- C:\Program Files\Common

Files\AOL\AOL Spyware

Protection\\aolserv.exe
O23 - Service: AVG7 Alert

Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
O23 - Service: AVG7 Update

Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
O23 - Service: Symantec Event

Manager (ccEvtMgr) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec

Password Validation

(ccPwdSvc) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec

Settings Manager (ccSetMgr) -

Symantec Corporation -

C:\Program Files\Common

Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Creative

Service for CDROM Access -

Creative Technology Ltd -

C:\WINDOWS\System32

\CTsvcCDA.exe
O23 - Service: DvpApi

(dvpapi) - Command Software

Systems, Inc. - C:\Program

Files\Common Files\Command

Software\dvpapi.exe
O23 - Service:

GhostStartService - Symantec

Corporation - C:\PROGRA~1

\NORTON~2\NORTON~4

\GHOSTS~2.EXE
O23 - Service: Norton

AntiVirus Auto Protect

Service (navapsvc) - Symantec

Corporation - C:\Program

Files\Norton

SystemWorks\Norton

Antivirus\navapsvc.exe
O23 - Service: Norton Unerase

Protection (NProtectService)

- Symantec Corporation -

C:\PROGRA~1\NORTON~2

\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver

Helper Service (NVSvc) -

NVIDIA Corporation -

C:\WINDOWS\System32

\nvsvc32.exe
O23 - Service: Pml Driver

HPZ12 - HP -

C:\WINDOWS\system32

\HPZipm12.exe
O23 - Service: SAVScan -

Symantec Corporation -

C:\Program Files\Norton

SystemWorks\Norton

Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking

Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1

\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate

Personal Firewall

(SmcService) - Sygate

Technologies, Inc. -

C:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: Symantec

Network Drivers Service

(SNDSrvc) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Speed Disk

service - Symantec

Corporation - C:\PROGRA~1

\NORTON~2\NORTON~2\SPEEDD~1

\NOPDB.EXE
O23 - Service: Symantec Core

LC - Symantec Corporation -

C:\Program Files\Common

Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
O23 - Service: SymWMI Service

(SymWSC) - Symantec

Corporation - C:\Program

Files\Common Files\Symantec

Shared\Security

Center\SymWSC.exe
O23 - Service: WAN Miniport

(ATW) Service

(WANMiniportService) -

America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 15 September 2005 - 06:29 AM

Hi epiphannyy. That log is way messed up. Try this. Open Notepad (not wordpad or any other word processing program). Use File>Open and navigate to the folder where your HijackThis.exe file is located and open the HijackThis.log file. Now press the Ctrl-A keys to select all the text and then press the Ctrl-C keys to copy it to the clipboard.

Come back to this topic and click the Add Reply button. Click in the edit area and then press the Ctrl-V keys to paste the data into the reply.

I will review the new information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 epiphannyy

epiphannyy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 15 September 2005 - 09:39 PM

Let me try this one more time..i'm not sure what is going wrong because i've never taken it into another program, just copied and pasted it to this body here, but i've done exactly as you said..straight from notepad to here..i hope this works and i'm sorry for the confusion.

Logfile of HijackThis v1.99.1
Scan saved at 1:20:43 AM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Saga\Super Popup Blocker\popkill.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: HTML Source Editor - {85810C93-C14C-11D5-BC4B-0050BA28E4FE} - C:\WINDOWS\System32\popkill.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShowIcon_KYE Electronics Corp._USB Storage R/W v1.14e057] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE Electronics Corp.\USB Storage R/W v1.14e057"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Ali Baba Slots TM by pogo - http://slots02.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.0.1.28/bac...n-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.3.20/vid...k-ob-assets.cab
O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-5.8.2.19/c...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-5.8.5.21/dom...o-ob-assets.cab
O16 - DPF: Dominoes by pogo.com - http://temp22.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet/videopo...e-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire14.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.3.20/...k-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback...k-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool...l-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke02.pogo.com/applet/videopoker...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.31/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.4.24/f...l-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://temp36.pogo.com/applet/freecell/fre...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.4.31/flin...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire03.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game6.pogo.com/applet-5.9.3.38/popp...t-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet-5.8.1.28/sl...z-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp35.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.9.1.18...s-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo.com - http://sweet06.pogo.com/applet/sweettooth/...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game2.pogo.com/applet-5.8.2.19/hold...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://simball02.pogo.com/applet-5.8.2.19/...l-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo.com - http://simball02.pogo.com/applet/simball/s...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.8.2.19/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-5.8.6.20/turb...1-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.2.19/word...p-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdow...n-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.0.25/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.14.162.81/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak02.pictures.aol.com/ygp/aol/plug...ver.1.0.2.5.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://209.95.72.188/csi_netcam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol125.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/lo...1/bin/imvid.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 16 September 2005 - 10:19 AM

Hi epiphannyy. That log looks better. And, also, it shows no problems. Depending on what Norton was finding and where it was finding it it might not be a problem at all. Let's run a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 epiphannyy

epiphannyy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 16 September 2005 - 11:11 PM

Thanks so much for all your help..here's the two logs you requested:


First the WinPFind log


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 9/16/2005 9:35:10 AM RHS 22193922 C:\AVG7DB_F.DAT
UPX! 4/3/2005 8:15:44 AM 9730 C:\PX283.exe
UPX! 1/28/2005 3:40:24 AM 9730 C:\PX59.exe
UPX! 1/28/2005 3:41:36 AM 9730 C:\PX5B.exe
UPX! 1/29/2005 11:18:22 PM 9730 C:\PX65.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 2/3/2003 5:09:00 AM 505360 C:\WINDOWS\eFaxview.exe
PECompact2 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
qoologic 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
SAHAgent 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 10/15/2003 11:42:16 PM 150528 C:\WINDOWS\unSpySweeper.exe
PECompact2 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
qoologic 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
SAHAgent 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 6/14/2004 4:25:00 AM 472576 C:\WINDOWS\SYSTEM32\Incinerator.dll
aspack 2/3/2003 5:09:00 AM 881152 C:\WINDOWS\SYSTEM32\jsdvwsdk.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/16/2005 10:01:16 PM S 2048 C:\WINDOWS\bootstat.dat
9/3/2005 10:04:22 AM H 54156 C:\WINDOWS\QTFont.qfn
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/16/2005 10:00:52 PM H 8192 C:\WINDOWS\system32\config\default.LOG
9/16/2005 10:01:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/16/2005 10:01:18 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
9/16/2005 10:01:26 PM H 53248 C:\WINDOWS\system32\config\software.LOG
9/16/2005 10:00:18 PM H 1024 C:\WINDOWS\system32\config\system.LOG
9/13/2005 7:05:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/9/2005 7:36:26 PM S 70191 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
9/9/2005 7:36:26 PM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
9/16/2005 10:00:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 5:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
4/26/2002 7:33:40 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc. 6/1/2004 12:02:30 PM 282624 C:\WINDOWS\SYSTEM32\CamCpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 7/28/2003 6:19:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Squid Software O 4/11/2004 12:35:46 AM 77312 C:\WINDOWS\SYSTEM32\P2P Networking v125.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 2/26/2005 3:32:16 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 1/6/2004 4:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft 3/3/1999 3:10:02 AM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 9/4/2002 6:46:00 AM 106496 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/9/2003 5:49:28 PM 997 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/8/2005 11:23:56 AM 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/16/2002 7:31:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
10/19/2004 12:15:00 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
10/19/2004 12:02:46 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/16/2002 12:15:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/18/2005 3:36:10 PM 394 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/16/2002 7:31:04 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
6/3/2005 8:05:08 AM 972 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Norton System Doctor.LNK

Checking files in %USERPROFILE%\Application Data folder...
8/8/2005 11:21:32 AM 1215 C:\Documents and Settings\Administrator\Application Data\AdobeDLM.log
9/16/2002 12:15:10 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
8/8/2005 11:21:32 AM 0 C:\Documents and Settings\Administrator\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YComp 5.0.2.6 = Yahoo! Companion
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\HotShellExt
{02040CD1-EF11-11D5-BC3F-0003473F5BF0} = C:\Program Files\Common Files\efax\hotshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\a2\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85810C93-C14C-11D5-BC4B-0050BA28E4FE}
ViewSource Class = C:\WINDOWS\System32\popkill.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ADE-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = :
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ehTray C:\WINDOWS\ehome\ehtray.exe
hpsysdrv c:\windows\system\hpsysdrv.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
ShowIcon_KYE Electronics Corp._USB Storage R/W v1.14e057 "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE Electronics Corp.\USB Storage R/W v1.14e057"
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
Jet Detection "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
Super Popup Blocker C:\Saga\Super Popup Blocker\popkill.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
LVCOMSX C:\WINDOWS\system32\LVCOMSX.EXE
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
AOL Spyware Protection C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
QD FastAndSafe C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Weather C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun [

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/16/2005 10:12:32 PM


Now the HijackThis log done after the WinPFind scan:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:40 AM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Saga\Super Popup Blocker\popkill.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: HTML Source Editor - {85810C93-C14C-11D5-BC4B-0050BA28E4FE} - C:\WINDOWS\System32\popkill.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShowIcon_KYE Electronics Corp._USB Storage R/W v1.14e057] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE Electronics Corp.\USB Storage R/W v1.14e057"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Super Popup Blocker] C:\Saga\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Ali Baba Slots TM by pogo - http://slots02.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.0.1.28/bac...n-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.3.20/vid...k-ob-assets.cab
O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-5.8.2.19/c...s-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-5.8.5.21/dom...o-ob-assets.cab
O16 - DPF: Dominoes by pogo.com - http://temp22.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet/videopo...e-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire14.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.3.20/...k-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback...k-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool...l-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke02.pogo.com/applet/videopoker...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.31/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.4.24/f...l-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://temp36.pogo.com/applet/freecell/fre...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.4.31/flin...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire03.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game6.pogo.com/applet-5.9.3.38/popp...t-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet-5.8.1.28/sl...z-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp35.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.9.1.18...s-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo.com - http://sweet06.pogo.com/applet/sweettooth/...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game2.pogo.com/applet-5.8.2.19/hold...m-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://simball02.pogo.com/applet-5.8.2.19/...l-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo.com - http://simball02.pogo.com/applet/simball/s...l-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.8.2.19/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-5.8.6.20/turb...1-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.2.19/word...p-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdow...n-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.0.25/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.14.162.81/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../yse/ymmapi.dll
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak02.pictures.aol.com/ygp/aol/plug...ver.1.0.2.5.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://209.95.72.188/csi_netcam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://E:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aol125.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/lo...1/bin/imvid.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 18 September 2005 - 06:54 PM

Hi epiphannyy. If looks like we have a couple of files to remove so please print these directions and then proceed with the following steps in order.

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\PX283.exe
      C:\PX59.exe
      C:\PX5B.exe
      C:\PX65.exe
      C:\WINDOWS\unSpySweeper.exe
      C:\WINDOWS\SYSTEM32\jsdvwsdk.dll
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Your system will reboot now.

Re-run the WinPFindscan and post the new log back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 epiphannyy

epiphannyy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 19 September 2005 - 08:47 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 2/3/2003 5:09:00 AM 505360 C:\WINDOWS\eFaxview.exe
PECompact2 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
qoologic 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
SAHAgent 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\lpt$vpn.831
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
qoologic 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
SAHAgent 9/11/2005 1:22:04 PM 15787697 C:\WINDOWS\VPTNFILE.831
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 6/14/2004 4:25:00 AM 472576 C:\WINDOWS\SYSTEM32\Incinerator.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 11:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 9/11/2005 7:09:56 PM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/19/2005 9:21:50 PM S 2048 C:\WINDOWS\bootstat.dat
9/3/2005 10:04:22 AM H 54156 C:\WINDOWS\QTFont.qfn
9/19/2005 9:26:10 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/19/2005 9:21:52 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/19/2005 9:24:48 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/19/2005 9:29:38 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/19/2005 9:25:20 PM H 1024 C:\WINDOWS\system32\config\system.LOG
9/13/2005 7:05:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/9/2005 7:36:26 PM S 70191 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
9/9/2005 7:36:26 PM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
9/19/2005 9:21:58 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 5:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
4/26/2002 7:33:40 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc. 6/1/2004 12:02:30 PM 282624 C:\WINDOWS\SYSTEM32\CamCpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 7/28/2003 6:19:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Squid Software O 4/11/2004 12:35:46 AM 77312 C:\WINDOWS\SYSTEM32\P2P Networking v125.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 2/26/2005 3:32:16 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 1/6/2004 4:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft 3/3/1999 3:10:02 AM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 9/4/2002 6:46:00 AM 106496 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/9/2003 5:49:28 PM 997 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/8/2005 11:23:56 AM 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/16/2002 7:31:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
10/19/2004 12:15:00 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
10/19/2004 12:02:46 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/16/2002 12:15:10 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/18/2005 3:36:10 PM 394 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/16/2002 7:31:04 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
6/3/2005 8:05:08 AM 972 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Norton System Doctor.LNK

Checking files in %USERPROFILE%\Application Data folder...
8/8/2005 11:21:32 AM 1215 C:\Documents and Settings\Administrator\Application Data\AdobeDLM.log
9/16/2002 12:15:10 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
8/8/2005 11:21:32 AM 0 C:\Documents and Settings\Administrator\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YComp 5.0.2.6 = Yahoo! Companion
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\HotShellExt
{02040CD1-EF11-11D5-BC3F-0003473F5BF0} = C:\Program Files\Common Files\efax\hotshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\a2\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85810C93-C14C-11D5-BC4B-0050BA28E4FE}
ViewSource Class = C:\WINDOWS\System32\popkill.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ADE-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = :
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ehTray C:\WINDOWS\ehome\ehtray.exe
hpsysdrv c:\windows\system\hpsysdrv.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
ShowIcon_KYE Electronics Corp._USB Storage R/W v1.14e057 "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE Electronics Corp.\USB Storage R/W v1.14e057"
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
Jet Detection "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
Super Popup Blocker C:\Saga\Super Popup Blocker\popkill.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
LVCOMSX C:\WINDOWS\system32\LVCOMSX.EXE
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
AOL Spyware Protection C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
QD FastAndSafe C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Weather C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun [

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/19/2005 9:35:41 PM

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 20 September 2005 - 05:22 AM

Hi epiphannyy. Everything looks clean. Good job!

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good firewall and a good antivirus application intalled and running. It is important to have both to protect your system, and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 epiphannyy

epiphannyy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 September 2005 - 12:45 AM

Thank you SO MUCH for all your help! Its appreciated more than you know :thumbsup:

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:59 PM

Posted 25 September 2005 - 07:49 AM

You're very welcome epiphannyy. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users