Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Taken Over By Cws Home Search - Please Help!


  • Please log in to reply
5 replies to this topic

#1 highlight

highlight

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 01 November 2005 - 04:07 AM

Hi!

I have Windows XP and Internet Explorer seems to be in the clutches of CWS HomeSearch and Smart Finder and keeps throwing open popup windows. Both Adaware and SpyBot didn't even detect this, but Yahoo! AntiSpy did, but couldn't remove it. Details showed the location at hkey_local_machine\system\currentcontrolset\enum\root\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I

Tried to delete this manually through regedit, but it won't delete even in safe mode (with networking).

I've run HijackThis. The logfile is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 12:34:18 PM, on 11/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\apitk.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\plscd.exe
C:\WINDOWS\cruk.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Web\Firefox\firefox.exe
D:\Utilities\HijackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hsnum.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {057AA07B-6035-C977-C4F6-22C3007CC2F8} - C:\WINDOWS\sdkmx32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utilities\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Security\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {573CB0AD-66BE-4CDC-ED99-366A5168E589} - C:\WINDOWS\mfctg.dll (file missing)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Class - {FC9B941A-15DD-790B-6F46-1458B80D9E09} - C:\WINDOWS\system32\apptx32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Design\CorelDRAW Graphics Suite\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=110905 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DRam prosessor] plscd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winwt32.exe] C:\WINDOWS\system32\winwt32.exe
O4 - HKLM\..\Run: [cruk.exe] C:\WINDOWS\cruk.exe
O4 - HKLM\..\RunServices: [DRam prosessor] plscd.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office\OFFICE~1\Office10\EXCEL.EXE/3000
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123404906139
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ABEF0F2-937E-41DE-A8F4-431B1F0FA9AF}: NameServer = 203.145.184.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{5772FAF6-E617-4640-9F6B-20197201ACFB}: NameServer = 203.145.184.13,202.56.250.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

==================================================================

I ran ADS Spy too, and this is the result:

C:\WINDOWS\Blue Lace 16.bmp : ovzhvm (3567 bytes)
C:\WINDOWS\bootstat.dat : cyjdnm (11801 bytes)
C:\WINDOWS\Coffee Bean.bmp : urbihx (35353 bytes)
C:\WINDOWS\DirectX.log : xpsisy (66560 bytes)
C:\WINDOWS\Greenstone.bmp : ccvlg (86593 bytes)
C:\WINDOWS\imsins.log : bvtewr (13581 bytes)
C:\WINDOWS\KB842773.log : mwljqu (197756 bytes)
C:\WINDOWS\KB842773Uninst.log : ferjev (86593 bytes)
C:\WINDOWS\MedCtrOC.log : ewwxte (3567 bytes)
C:\WINDOWS\mozver.dat : yxjpzx (11801 bytes)
C:\WINDOWS\msgsocm.log : wppcno (66560 bytes)
C:\WINDOWS\NeroDigital.ini : hwwqst (11801 bytes)
C:\WINDOWS\nsw.log : zxpdne (35353 bytes)
C:\WINDOWS\Prairie Wind.bmp : shiuka (86593 bytes)
C:\WINDOWS\Rhododendron.bmp : liahek (11801 bytes)
C:\WINDOWS\spuninst.log : pmmovy (13581 bytes)
C:\WINDOWS\svcpack.log : hmebya (197756 bytes)
C:\WINDOWS\tabletoc.log : znpgsl (3567 bytes)
C:\WINDOWS\UNNVEContent.cfg : kohluv (66560 bytes)
C:\WINDOWS\wmprfsve.prx : uwthvs (11801 bytes)
C:\WINDOWS\_default.pif : julafg (35353 bytes)
C:\WINDOWS\_default.pif : luooyz (13581 bytes)


Would be most grateful for help and advice!

My email Id is anitaojha@yahoo.com

Thanks.

Anita

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:49 AM

Posted 01 November 2005 - 08:58 AM

Hello and welcome to BC! :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Unzip CWShredder to its own folder (ie c:\CWShredder)

Unzip AboutBuster to its own folder (ie c:\Aboutbuster)

Run the CleanUp! installer. You dont need to do anything with it right now.

Download HomeSearchfix.zip
http://users.pandora.be/marcvn/tools/HSfix.zip
  • Unzip the contents of HSfix.zip (HSfix.reg) to your desktop.
  • Please do not do anything with it yet.
Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Then run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Double-click on HSfix.reg you downloaded earlier.
  • When it asks you to merge the information to the registry click "Yes".
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, reboot back into normal mode, post back with how things went post as well as all the logs requested along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#3 highlight

highlight
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 November 2005 - 04:01 AM

Thanks for the guidance!

I did everything as you advised...BUT...am still getting popups with IE titled 'Simply the Best', and Yahoo Anti-spy shows CWS HomeSearch and SmartFinder as still present. However, when I click on a link the page isn't hijacked as before, though I have noticed what may be an attempt...the address bar shows a dll, but fortunately so far it hasn't opened. Also, I get a ballon on my taskbar which says:

"your virus protection is bad". Also sometimes a message box alerting me to the same thing and supposed to be from Microsoft's PC Protection Centre. It gave a removal link http://www.spywareno.com/?advid=143
Is this really from Microsoft? I'm very suspicious now!


Here are the log files:

AboutBuster 5.1, reference file 32
Scan started on [11/2/2005] at [12:56:57 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\deuwa.dll
Removed File! : C:\WINDOWS\icpmg.dat
Removed File! : C:\WINDOWS\System32\ctouy.dll
Removed File! : C:\WINDOWS\System32\jvjky.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:57:57 PM

AboutBuster 5.1, reference file 32
Scan started on [11/3/2005] at [12:44:14 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:45:15 PM




CWShredder system report:

system Report generated at 1:06 p.m. Nov 02, 2005


**** Run Keys ****

RUN: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
RUN: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
RUN: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
RUN: [CorelDRAW Graphics Suite 11b] D:\Design\CorelDRAW Graphics Suite\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=110905 serial=DR12WTX-9999998-YSP lang=EN
RUN: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
RUN: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
RUN: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
RUN: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
RUN: [winwt32.exe] C:\WINDOWS\system32\winwt32.exe
RUN: [DRam prosessor] plscd.exe
RUN: [cruk.exe] C:\WINDOWS\cruk.exe
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
RUN: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe


**** Browser Helper Objects ****

BHO: [Class] C:\WINDOWS\sdkmx32.dll
BHO: [AcroIEHlprObj Class] D:\Utilities\Acrobat\Reader\ActiveX\AcroIEHelper.dll
BHO: [AcroIEHlprObj Class] D:\Security\Spybot - Search & Destroy\SDHelper.dll
BHO: [Class] C:\WINDOWS\mfctg.dll
BHO: [Class] C:\WINDOWS\mfctg.dll
BHO: [Class] C:\WINDOWS\d3zr32.dll
BHO: [CNavExtBho Class] D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
BHO: [Class] C:\WINDOWS\system32\apptx32.dll


**** IE Toolbars ****

TOOLBAR: [Norton AntiVirus] D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [Yahoo! Toolbar] C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll


**** IE Extensions ****



**** Hosts File Entries ****



**** IE Settings ****

IEBypass: <local>
Default Page: about:blank
Default Search:
Local Page: C:\WINDOWS\System32\blank.htm
Search Page:


**** IE Context Menu (Right click) ****

IEContext: [Convert link target to Adobe PDF]
IEContext: [Convert link target to existing PDF]
IEContext: [Convert selected links to Adobe PDF]
IEContext: [Convert selected links to existing PDF]
IEContext: [Convert selection to Adobe PDF]
IEContext: [Convert selection to existing PDF]
IEContext: [Convert to Adobe PDF]
IEContext: [Convert to existing PDF]
IEContext: [E&xport to Microsoft Excel] res://D:\Office\OFFICE~1\Office10\EXCEL.EXE/3000


**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5772FAF6-E617-4640-9F6B-20197201ACFB}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5772FAF6-E617-4640-9F6B-20197201ACFB}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2ABEF0F2-937E-41DE-A8F4-431B1F0FA9AF}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2ABEF0F2-937E-41DE-A8F4-431B1F0FA9AF}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{15FA7658-756F-4AAA-B30D-80A3036B4B7A}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{15FA7658-756F-4AAA-B30D-80A3036B4B7A}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DBF50A48-D47C-40CE-9B6C-E1D652A21969}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DBF50A48-D47C-40CE-9B6C-E1D652A21969}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73198B51-E3EE-46E9-B5FA-3A66674F90E6}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73198B51-E3EE-46E9-B5FA-3A66674F90E6}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{11D57AAF-7264-4D57-BF92-7E640CBA0F1D}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{11D57AAF-7264-4D57-BF92-7E640CBA0F1D}] DATAGRAM 6


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} [http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab] C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
{6414512B-B978-451D-A0D8-FCFDF33E833C} [http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123404906139]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]


**** Windows Services ****

[Adobe LM Service] "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
[cisvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[IISADMIN] C:\WINDOWS\System32\inetsrv\inetinfo.exe
[ImapiService] C:\WINDOWS\System32\imapi.exe
[Java]
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Macromedia Licensing Service] "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
[MDM] "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSFtpsvc] %SystemRoot%\System32\inetsrv\inetinfo.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[navapsvc] "D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe"
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NProtectService] D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[Pml Driver HPZ12] C:\WINDOWS\System32\HPZipm12.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SAVScan] D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
[SBService] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SMTPSVC] C:\WINDOWS\System32\inetsrv\inetinfo.exe
[SNDSrvc] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[Speed Disk service] D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{BD1B82F1-E677-40DB-BA59-42479C1B7CFE}
[Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[SymWSC] C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[W3SVC] %SystemRoot%\System32\inetsrv\inetinfo.exe
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSp] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %SystemRoot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] about:blank
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page]
IEOPT: [Check_Associations] No
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] yes
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] yes
IEOPT: [HistoryViewType]
IEOPT: [HistoryTopNSitesView]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [LastCheckedHi] o
IEOPT: [Use Search Asst]
IEOPT: [Default_Page_URL] about:blank
IEOPT: [Default_Search_URL]
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no


SPSeHjFix log:

(11/2/05 1:07:33 PM) SPSeHjFix started v1.1.2
(11/2/05 1:07:33 PM) OS: WinXP (5.1.2600)
(11/2/05 1:07:33 PM) Language: english
(11/2/05 1:07:33 PM) Win-Path: C:\WINDOWS
(11/2/05 1:07:33 PM) System-Path: C:\WINDOWS\System32
(11/2/05 1:07:33 PM) Temp-Path: C:\DOCUME~1\Anita\LOCALS~1\Temp\
(11/2/05 1:07:58 PM) Disinfection started
(11/2/05 1:07:58 PM) Bad-Dll(IEP): (not found)
(11/2/05 1:07:58 PM) Bad-Dll(IEP) in BHO: (not found)
(11/2/05 1:07:58 PM) UBF: 4 - UBB: 7 - UBR: 13
(11/2/05 1:07:58 PM) UBF: 4 - UBB: 7 - UBR: 13
(11/2/05 1:07:58 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(11/2/05 1:07:58 PM) Stealth-String not found
(11/2/05 1:07:58 PM) Not infected->END


(11/2/05 1:08:34 PM) SPSeHjFix started v1.1.2
(11/2/05 1:08:34 PM) OS: WinXP (5.1.2600)
(11/2/05 1:08:34 PM) Language: english
(11/2/05 1:08:34 PM) Win-Path: C:\WINDOWS
(11/2/05 1:08:34 PM) System-Path: C:\WINDOWS\System32
(11/2/05 1:08:34 PM) Temp-Path: C:\DOCUME~1\Anita\LOCALS~1\Temp\
(11/2/05 1:08:36 PM) Disinfection started
(11/2/05 1:08:36 PM) Bad-Dll(IEP): (not found)
(11/2/05 1:08:36 PM) Bad-Dll(IEP) in BHO: (not found)
(11/2/05 1:08:36 PM) UBF: 4 - UBB: 7 - UBR: 13
(11/2/05 1:08:36 PM) UBF: 4 - UBB: 7 - UBR: 13
(11/2/05 1:08:36 PM) Bad IE-pages: (none)
(11/2/05 1:08:36 PM) Stealth-String not found
(11/2/05 1:08:36 PM) Not infected->END


(11/3/05 12:17:11 PM) SPSeHjFix started v1.1.2
(11/3/05 12:17:11 PM) OS: WinXP (5.1.2600)
(11/3/05 12:17:11 PM) Language: english
(11/3/05 12:17:11 PM) Win-Path: C:\WINDOWS
(11/3/05 12:17:11 PM) System-Path: C:\WINDOWS\System32
(11/3/05 12:17:11 PM) Temp-Path: C:\DOCUME~1\Anita\LOCALS~1\Temp\
(11/3/05 12:17:13 PM) Disinfection started
(11/3/05 12:17:13 PM) Bad-Dll(IEP): (not found)
(11/3/05 12:17:13 PM) Bad-Dll(IEP) in BHO: (not found)
(11/3/05 12:17:13 PM) UBF: 4 - UBB: 7 - UBR: 15
(11/3/05 12:17:13 PM) UBF: 4 - UBB: 7 - UBR: 15
(11/3/05 12:17:13 PM) Bad IE-pages: (none)
(11/3/05 12:17:13 PM) Stealth-String not found
(11/3/05 12:17:13 PM) Not infected->END


(11/3/05 12:17:42 PM) SPSeHjFix started v1.1.2
(11/3/05 12:17:42 PM) OS: WinXP (5.1.2600)
(11/3/05 12:17:42 PM) Language: english
(11/3/05 12:17:42 PM) Win-Path: C:\WINDOWS
(11/3/05 12:17:42 PM) System-Path: C:\WINDOWS\System32
(11/3/05 12:17:42 PM) Temp-Path: C:\DOCUME~1\Anita\LOCALS~1\Temp\
(11/3/05 12:17:44 PM) Disinfection started
(11/3/05 12:17:44 PM) Bad-Dll(IEP): (not found)
(11/3/05 12:17:44 PM) Bad-Dll(IEP) in BHO: (not found)
(11/3/05 12:17:44 PM) UBF: 4 - UBB: 7 - UBR: 15
(11/3/05 12:17:44 PM) UBF: 4 - UBB: 7 - UBR: 15
(11/3/05 12:17:44 PM) Bad IE-pages: (none)
(11/3/05 12:17:44 PM) Stealth-String not found
(11/3/05 12:17:44 PM) Not infected->END


Logfile of HijackThis v1.99.1
Scan saved at 1:45:22 PM, on 11/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\netmi.exe
C:\WINDOWS\winuo.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ***Highlight Browser***
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {057AA07B-6035-C977-C4F6-22C3007CC2F8} - C:\WINDOWS\sdkmx32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utilities\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {573CB0AD-66BE-4CDC-ED99-366A5168E589} - C:\WINDOWS\mfctg.dll (file missing)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Class - {B93A6A3D-9B7D-4B3D-F50A-8450933B13E9} - C:\WINDOWS\d3zr32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Class - {FC9B941A-15DD-790B-6F46-1458B80D9E09} - C:\WINDOWS\system32\apptx32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Design\CorelDRAW Graphics Suite\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=110905 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [winuo.exe] C:\WINDOWS\winuo.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office\OFFICE~1\Office10\EXCEL.EXE/3000
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123404906139
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ABEF0F2-937E-41DE-A8F4-431B1F0FA9AF}: NameServer = 203.145.184.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{5772FAF6-E617-4640-9F6B-20197201ACFB}: NameServer = 203.145.184.13,202.56.250.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



I've also installed SpywareBlaster.

Do let me know what you think!

Thanks!

Anita

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:49 AM

Posted 03 November 2005 - 04:50 AM

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot. Post a fresh HijackThis log once finished :thumbsup:
Hi there, stranger!

#5 highlight

highlight
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 04 November 2005 - 04:36 AM

Thanks so much for DrWeb-cureit!

Unbelievable the number of files that were infected - around 292!!! Hopefully, all will be well now.

Here's the new HiJack This log:


Logfile of HijackThis v1.99.1
Scan saved at 2:56:25 PM, on 11/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ***Highlight Browser***
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {057AA07B-6035-C977-C4F6-22C3007CC2F8} - C:\WINDOWS\sdkmx32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Utilities\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {573CB0AD-66BE-4CDC-ED99-366A5168E589} - C:\WINDOWS\mfctg.dll (file missing)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Class - {B93A6A3D-9B7D-4B3D-F50A-8450933B13E9} - C:\WINDOWS\d3zr32.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Class - {FC9B941A-15DD-790B-6F46-1458B80D9E09} - C:\WINDOWS\system32\apptx32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Security\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Design\CorelDRAW Graphics Suite\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=110905 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [winwt32.exe] C:\WINDOWS\system32\winwt32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office\OFFICE~1\Office10\EXCEL.EXE/3000
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123404906139
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ABEF0F2-937E-41DE-A8F4-431B1F0FA9AF}: NameServer = 203.145.184.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{5772FAF6-E617-4640-9F6B-20197201ACFB}: NameServer = 203.145.184.13,202.56.250.5
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netmi.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Security\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\Security\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


:thumbsup: THANKS!!!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:49 AM

Posted 04 November 2005 - 05:09 AM

Much better.. :thumbsup:

Although it's not clean quite yet. Few things to do.. But I'm not at home right at the moment. I'll post a set of instructions - in couple of hours - and we'll get you settled :flowers:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users