Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About:blank


  • This topic is locked This topic is locked
4 replies to this topic

#1 anonymous_hero

anonymous_hero

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 January 2006 - 02:04 AM

Ok, sorry if there is a topic for this already. but i really dont have time too check, because
my computer is running 100X slower than usual. So im trying to save the time of loading pages.

i have DSL, an my computer is running worse than doal-up at the current time.

here is a HiJack Log of my computer. Please help. I know the virus is within a file

called "Search Extended" and "Shopping Wizard"









Logfile of HijackThis v1.99.1
Scan saved at 10:57:34 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\netxh32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sdkyi32.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\jamaican_kidd\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xbhbk.dll/sp.html#12047%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-0000-49B3-AA38-D5725EB316C7} - (no file)
O2 - BHO: Class - {02B6F0C0-81BF-128A-F6DD-072EF4DAA259} - C:\WINDOWS\system32\crds32.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15FC6455-E111-59C5-D554-11557CAF2F1E} - (no file)
O2 - BHO: Class - {3C676AA3-DE9F-DD33-9708-60A5B7B91DD4} - C:\WINDOWS\system32\ipxa.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {68BA8E7B-48F1-E65F-C86B-FB26EE5902B5} - C:\WINDOWS\addje32.dll
O2 - BHO: Class - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll
O2 - BHO: Class - {7DB3E683-977A-288C-4EB6-ADD266289B1A} - C:\WINDOWS\netzm32.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: Class - {9404FFB4-AA7A-A757-2FB5-29D6F452E365} - C:\WINDOWS\javamt.dll
O2 - BHO: Class - {B29DB64D-9837-FB36-C3F8-5C2D6B2B3204} - C:\WINDOWS\system32\mslo32.dll
O2 - BHO: Class - {B38F1730-B853-D9A7-5898-14CE893180C0} - C:\WINDOWS\system32\netiy.dll
O2 - BHO: Class - {B9E394CA-9564-011C-9650-8855DA3C97AC} - C:\WINDOWS\system32\ipfw.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {BFC8E15D-A9D9-C737-3BFC-6E181D103960} - C:\WINDOWS\appgb.dll
O2 - BHO: Class - {C5B61BDC-0B56-F5CE-80B3-EA952A978484} - C:\WINDOWS\system32\ntdi32.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: Class - {FA224A3B-80E3-FC4E-47BB-C7027C3BE4E9} - C:\WINDOWS\system32\javaty32.dll
O2 - BHO: (no name) - {FF234288-3F3D-AAD1-5406-2B255A30CA94} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axin...all4110_sp2.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\netxh32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:21 AM

Posted 15 January 2006 - 05:56 AM

Hello and welcome!

You have a crapload of malware, although I don't think it takes much time to clean them up, just track this topic and follow the instructions. Takes few steps :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Next we'll go to the rest:

Download CWShredder Here.

Unzip CWShredder to its own folder (ie c:\CWShredder)

Download SpSeHjfix Here.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Download and install CleanUp! Here

Run the CleanUp! installer. You dont need to do anything with it right now.

Please download AboutBuster.
  • Double click the AboutBuster folder, then double click the AboutBuster.exe inside.
  • Click "Extract all" in the box that pops up, then "Next"
  • Choose the location you would like to install AboutBuster, such as My Documents.
  • Make sure "Show extracted files" is checked, then click "Finish".
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode:
  • Open AboutBuster and click the "Begin Removal" button. It will shut down all Explorer windows (if open) while it works.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
  • Run About:buster again following the same instructions as above, this time without the restart at the end
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Finally

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

Reboot into normal mode and post a fresh HijackThis log along with ALL the logs requested earlier. :flowers:
Hi there, stranger!

#3 anonymous_hero

anonymous_hero
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 January 2006 - 05:46 PM

ok thank you for the information. i did all as followed, an my computer is running like new!!

here are the logs you asked for.

thank you again!! both "search extended" and "shopping wizard" are now gone!!














AboutBuster 6.0
Scan started on [1/15/2006] at [2:29:24 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\cdplayer.ini:trmrc
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:bxigf
Removed Stream! C:\WINDOWS\comsetup.log:gjlgvf
Removed Stream! C:\WINDOWS\comsetup.log:wtips
Removed Stream! C:\WINDOWS\custvoic.ini:zkvtxp
Removed Stream! C:\WINDOWS\DC.ini:cbftq
Removed Stream! C:\WINDOWS\desktop.ini:rkozrz
Removed Stream! C:\WINDOWS\explorer.scf:plbtu
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:atdeb
Removed Stream! C:\WINDOWS\Greenstone.bmp:anemr
Removed Stream! C:\WINDOWS\humpd.dat:luopp
Removed Stream! C:\WINDOWS\image.png:Zone.Identifier
Removed Stream! C:\WINDOWS\info.cod:swkja
Removed Stream! C:\WINDOWS\KB828741.log:qpost
Removed Stream! C:\WINDOWS\KB842773.log:xlacj
Removed Stream! C:\WINDOWS\KB873333.log:dxncw
Removed Stream! C:\WINDOWS\KB873339.log:tqrlq
Removed Stream! C:\WINDOWS\KB885836.log:rqhxc
Removed Stream! C:\WINDOWS\KB887472.log:caqku
Removed Stream! C:\WINDOWS\KB888113.log:hleya
Removed Stream! C:\WINDOWS\KB890046.log:crkqy
Removed Stream! C:\WINDOWS\KB890047.log:dqbuh
Removed Stream! C:\WINDOWS\KB890859.log:nbbuq
Removed Stream! C:\WINDOWS\KB893086.log:ntvau
Removed Stream! C:\WINDOWS\KB893086.log:osnfe
Removed Stream! C:\WINDOWS\KB894391.log:dotbs
Removed Stream! C:\WINDOWS\KB896422.log:iztju
Removed Stream! C:\WINDOWS\KB896727.log:intsgk
Removed Stream! C:\WINDOWS\KB898461.log:taeuq
Removed Stream! C:\WINDOWS\KB899588.log:aneyi
Removed Stream! C:\WINDOWS\KB900725.log:xngka
Removed Stream! C:\WINDOWS\KB904706.log:icqga
Removed Stream! C:\WINDOWS\KB905414.log:ihsdw
Removed Stream! C:\WINDOWS\KB910437.log:waycq
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:ggvhe
Removed Stream! C:\WINDOWS\LXBRCAH.ini:rklot
Removed Stream! C:\WINDOWS\LXBRFMT.INI:ytbmm
Removed Stream! C:\WINDOWS\MF_C425.lfa:jmvrw
Removed Stream! C:\WINDOWS\MF_C425.lfa:wvwpa
Removed Stream! C:\WINDOWS\mixerdef.ini:usctq
Removed Stream! C:\WINDOWS\ModemLog_HSP56 MicroModem.txt:cdogp
Removed Stream! C:\WINDOWS\ModemLog_HSP56 MicroModem.txt:ohzyad
Removed Stream! C:\WINDOWS\msn.hta:hikmco
Removed Stream! C:\WINDOWS\msn.hta:nqopq
Removed Stream! C:\WINDOWS\nsw.log:hwazx
Removed Stream! C:\WINDOWS\ocgen.log:gvnro
Removed Stream! C:\WINDOWS\ODBCINST.INI:prran
Removed Stream! C:\WINDOWS\ODBCINST.INI:xvyrh
Removed Stream! C:\WINDOWS\OEWABLog.txt:rkvwyb
Removed Stream! C:\WINDOWS\popcinfo.dat:rxycl
Removed Stream! C:\WINDOWS\setupapi.log:bfymo
Removed Stream! C:\WINDOWS\setuperr.log:vbtuwf
Removed Stream! C:\WINDOWS\sndhv71.ini:ncmhqq
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:mgcwk
Removed Stream! C:\WINDOWS\spupdsvc.log:gcensa
Removed Stream! C:\WINDOWS\stub11.ini:ovfwme
Removed Stream! C:\WINDOWS\stub17.ini:efloj
Removed Stream! C:\WINDOWS\stub23.ini:bqtzfm
Removed Stream! C:\WINDOWS\stub3.ini:cpugic
Removed Stream! C:\WINDOWS\stub36.ini:nqxzww
Removed Stream! C:\WINDOWS\stub36.ini:zarkx
Removed Stream! C:\WINDOWS\stub38.ini:qusqrw
Removed Stream! C:\WINDOWS\stub40.ini:owrey
Removed Stream! C:\WINDOWS\stub43.ini:bgevv
Removed Stream! C:\WINDOWS\stub45.ini:hhlhfa
Removed Stream! C:\WINDOWS\stub5.ini:mhqor
Removed Stream! C:\WINDOWS\stub58.ini:qydxdn
Removed Stream! C:\WINDOWS\stub60.ini:jywcxp
Removed Stream! C:\WINDOWS\stub61.ini:yjoryz
Removed Stream! C:\WINDOWS\stub66.ini:jyhbug
Removed Stream! C:\WINDOWS\stub7.ini:mtsaom
Removed Stream! C:\WINDOWS\stub70.ini:cdkpww
Removed Stream! C:\WINDOWS\stub72.ini:ualmqt
Removed Stream! C:\WINDOWS\stub73.ini:ueuuqy
Removed Stream! C:\WINDOWS\stub77.ini:nfnatj
Removed Stream! C:\WINDOWS\stub77.ini:oesmc
Removed Stream! C:\WINDOWS\stub79.ini:ohqpr
Removed Stream! C:\WINDOWS\stub8.ini:ffgfnt
Removed Stream! C:\WINDOWS\stub85.ini:qnxgy
Removed Stream! C:\WINDOWS\stub85.ini:zabhn
Removed Stream! C:\WINDOWS\stub87.ini:ivrvdd
Removed Stream! C:\WINDOWS\stub89.ini:lrksj
Removed Stream! C:\WINDOWS\stub89.ini:ofefdy
Removed Stream! C:\WINDOWS\stub9.ini:yushz
Removed Stream! C:\WINDOWS\stub91.ini:bhmppi
Removed Stream! C:\WINDOWS\svcpack.log:gywlxj
Removed Stream! C:\WINDOWS\svcpack.log:qwyyzj
Removed Stream! C:\WINDOWS\system.ini:osocf
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
Removed Stream! C:\WINDOWS\Thumbs.db:jvvsw
Removed Stream! C:\WINDOWS\TMFilter.log:mipimv
Removed Stream! C:\WINDOWS\tsoc.log:vhzvzs
Removed Stream! C:\WINDOWS\tybct.log:rzzdtv
Removed Stream! C:\WINDOWS\UNINSTPK.INI:aqjjvv
Removed Stream! C:\WINDOWS\updspapi.log:oisbbc
Removed Stream! C:\WINDOWS\vbmgsent.ini:pklgcs
Removed Stream! C:\WINDOWS\WMSysPr9.prx:zvasz
Removed Stream! C:\WINDOWS\_isres(2).dll:arjmt
Removed Stream! C:\WINDOWS\_isres(2).dll:bfixq
Removed Stream! C:\WINDOWS\_isres(2).dll:bxxyuz
Removed Stream! C:\WINDOWS\_isres(2).dll:ezmvo
Removed Stream! C:\WINDOWS\_isres(2).dll:fccmy
Removed Stream! C:\WINDOWS\_isres(2).dll:fdaha
Removed Stream! C:\WINDOWS\_isres(2).dll:foxfb
Removed Stream! C:\WINDOWS\_isres(2).dll:fvrdy
Removed Stream! C:\WINDOWS\_isres(2).dll:gdkdcx
Removed Stream! C:\WINDOWS\_isres(2).dll:hdlgou
Removed Stream! C:\WINDOWS\_isres(2).dll:ievvzj
Removed Stream! C:\WINDOWS\_isres(2).dll:iwmtao
Removed Stream! C:\WINDOWS\_isres(2).dll:kghefs
Removed Stream! C:\WINDOWS\_isres(2).dll:mmvnm
Removed Stream! C:\WINDOWS\_isres(2).dll:nbyphp
Removed Stream! C:\WINDOWS\_isres(2).dll:niotsy
Removed Stream! C:\WINDOWS\_isres(2).dll:nwcxf
Removed Stream! C:\WINDOWS\_isres(2).dll:odtbmk
Removed Stream! C:\WINDOWS\_isres(2).dll:omrmm
Removed Stream! C:\WINDOWS\_isres(2).dll:piiju
Removed Stream! C:\WINDOWS\_isres(2).dll:qdvohj
Removed Stream! C:\WINDOWS\_isres(2).dll:qfdzx
Removed Stream! C:\WINDOWS\_isres(2).dll:qhapy
Removed Stream! C:\WINDOWS\_isres(2).dll:qwunym
Removed Stream! C:\WINDOWS\_isres(2).dll:skmhl
Removed Stream! C:\WINDOWS\_isres(2).dll:stgkj
Removed Stream! C:\WINDOWS\_isres(2).dll:txjcs
Removed Stream! C:\WINDOWS\_isres(2).dll:ubrbjn
Removed Stream! C:\WINDOWS\_isres(2).dll:ucwxt
Removed Stream! C:\WINDOWS\_isres(2).dll:vcotb
Removed Stream! C:\WINDOWS\_isres(2).dll:vhwgxn
Removed Stream! C:\WINDOWS\_isres(2).dll:xauemt
Removed Stream! C:\WINDOWS\_isres(2).dll:zndwj
Removed Stream! C:\WINDOWS\_isres.dll:adicyq
Removed Stream! C:\WINDOWS\_isres.dll:aecedt
Removed Stream! C:\WINDOWS\_isres.dll:arjmt
Removed Stream! C:\WINDOWS\_isres.dll:bfixq
Removed Stream! C:\WINDOWS\_isres.dll:bohhhb
Removed Stream! C:\WINDOWS\_isres.dll:btbvxp
Removed Stream! C:\WINDOWS\_isres.dll:bxxyuz
Removed Stream! C:\WINDOWS\_isres.dll:clnopy
Removed Stream! C:\WINDOWS\_isres.dll:dbnzgu
Removed Stream! C:\WINDOWS\_isres.dll:efeson
Removed Stream! C:\WINDOWS\_isres.dll:ehksdo
Removed Stream! C:\WINDOWS\_isres.dll:ektwng
Removed Stream! C:\WINDOWS\_isres.dll:epwtae
Removed Stream! C:\WINDOWS\_isres.dll:ezmvo
Removed Stream! C:\WINDOWS\_isres.dll:fccmy
Removed Stream! C:\WINDOWS\_isres.dll:fdaha
Removed Stream! C:\WINDOWS\_isres.dll:foxfb
Removed Stream! C:\WINDOWS\_isres.dll:fvrdy
Removed Stream! C:\WINDOWS\_isres.dll:fvvqvs
Removed Stream! C:\WINDOWS\_isres.dll:gdkdcx
Removed Stream! C:\WINDOWS\_isres.dll:hdlgou
Removed Stream! C:\WINDOWS\_isres.dll:hfisjk
Removed Stream! C:\WINDOWS\_isres.dll:hhzqnk
Removed Stream! C:\WINDOWS\_isres.dll:ievvzj
Removed Stream! C:\WINDOWS\_isres.dll:iwmtao
Removed Stream! C:\WINDOWS\_isres.dll:jahnlk
Removed Stream! C:\WINDOWS\_isres.dll:kauuej
Removed Stream! C:\WINDOWS\_isres.dll:kghefs
Removed Stream! C:\WINDOWS\_isres.dll:lcsyjb
Removed Stream! C:\WINDOWS\_isres.dll:mmvnm
Removed Stream! C:\WINDOWS\_isres.dll:mrfzlv
Removed Stream! C:\WINDOWS\_isres.dll:nbyphp
Removed Stream! C:\WINDOWS\_isres.dll:ndygau
Removed Stream! C:\WINDOWS\_isres.dll:niotsy
Removed Stream! C:\WINDOWS\_isres.dll:nwcxf
Removed Stream! C:\WINDOWS\_isres.dll:odtbmk
Removed Stream! C:\WINDOWS\_isres.dll:omrmm
Removed Stream! C:\WINDOWS\_isres.dll:pghkla
Removed Stream! C:\WINDOWS\_isres.dll:piiju
Removed Stream! C:\WINDOWS\_isres.dll:qdvohj
Removed Stream! C:\WINDOWS\_isres.dll:qfdzx
Removed Stream! C:\WINDOWS\_isres.dll:qhapy
Removed Stream! C:\WINDOWS\_isres.dll:qkppwf
Removed Stream! C:\WINDOWS\_isres.dll:qrxkbc
Removed Stream! C:\WINDOWS\_isres.dll:qwunym
Removed Stream! C:\WINDOWS\_isres.dll:rksnsh
Removed Stream! C:\WINDOWS\_isres.dll:sbhthq
Removed Stream! C:\WINDOWS\_isres.dll:skmhl
Removed Stream! C:\WINDOWS\_isres.dll:stgkj
Removed Stream! C:\WINDOWS\_isres.dll:tqnujl
Removed Stream! C:\WINDOWS\_isres.dll:txjcs
Removed Stream! C:\WINDOWS\_isres.dll:ubrbjn
Removed Stream! C:\WINDOWS\_isres.dll:ucwxt
Removed Stream! C:\WINDOWS\_isres.dll:uldyou
Removed Stream! C:\WINDOWS\_isres.dll:utsghx
Removed Stream! C:\WINDOWS\_isres.dll:vcotb
Removed Stream! C:\WINDOWS\_isres.dll:vhwgxn
Removed Stream! C:\WINDOWS\_isres.dll:vmgujj
Removed Stream! C:\WINDOWS\_isres.dll:wdximp
Removed Stream! C:\WINDOWS\_isres.dll:wgwfqx
Removed Stream! C:\WINDOWS\_isres.dll:wqoyco
Removed Stream! C:\WINDOWS\_isres.dll:wtishi
Removed Stream! C:\WINDOWS\_isres.dll:xauemt
Removed Stream! C:\WINDOWS\_isres.dll:xrfxhr
Removed Stream! C:\WINDOWS\_isres.dll:zjiapw
Removed Stream! C:\WINDOWS\_isres.dll:zndwj
Removed Stream! C:\WINDOWS\_isres.dll:zyjbix
-------------------------------------------------------------
Removed File! : C:\WINDOWS\addje32.dll
Removed File! : C:\WINDOWS\addro32.dll
Removed File! : C:\WINDOWS\appgb.dll
Removed File! : C:\WINDOWS\atlqy.dll
Removed File! : C:\WINDOWS\bffbb.dat
Removed File! : C:\WINDOWS\bquwz.txt
Removed File! : C:\WINDOWS\brfke.dat
Removed File! : C:\WINDOWS\btgmx.dll
Removed File! : C:\WINDOWS\byfhq.log
Removed File! : C:\WINDOWS\crzx.exe
Removed File! : C:\WINDOWS\d3li32.exe
Removed File! : C:\WINDOWS\dyntb.dat
Removed File! : C:\WINDOWS\hfisj.txt
Removed File! : C:\WINDOWS\humpd.dat
Removed File! : C:\WINDOWS\hvpoa.dat
Removed File! : C:\WINDOWS\ienv32.exe
Removed File! : C:\WINDOWS\ieyi32.exe
Removed File! : C:\WINDOWS\iwdat.log
Removed File! : C:\WINDOWS\javahs32.exe
Removed File! : C:\WINDOWS\javamt.dll
Removed File! : C:\WINDOWS\javapq32.exe
Removed File! : C:\WINDOWS\jcozk.dat
Removed File! : C:\WINDOWS\lhoar.dll
Removed File! : C:\WINDOWS\mznkw.dat
Removed File! : C:\WINDOWS\netbs32.dll
Removed File! : C:\WINDOWS\netzm32.dll
Removed File! : C:\WINDOWS\niots.log
Removed File! : C:\WINDOWS\ozhgc.log
Removed File! : C:\WINDOWS\pzaeu.dat
Removed File! : C:\WINDOWS\qwyyz.log
Removed File! : C:\WINDOWS\sbwul.log
Removed File! : C:\WINDOWS\tfqxs.txt
Removed File! : C:\WINDOWS\tybct.log
Removed File! : C:\WINDOWS\ualmq.log
Removed File! : C:\WINDOWS\udncm.txt
Removed File! : C:\WINDOWS\vwmvr.txt
Removed File! : C:\WINDOWS\wzenp.log
Removed File! : C:\WINDOWS\xauem.log
Removed File! : C:\WINDOWS\xcgkg.txt
Removed File! : C:\WINDOWS\xgjad.log
Removed File! : C:\WINDOWS\zuaek.dat
Removed File! : C:\WINDOWS\system32\apimq32.dll
Removed File! : C:\WINDOWS\system32\apirw32.exe
Removed File! : C:\WINDOWS\system32\atlqa32.exe
Removed File! : C:\WINDOWS\system32\atlqt.exe
Removed File! : C:\WINDOWS\system32\autnh.log
Removed File! : C:\WINDOWS\system32\crds32.dll
Removed File! : C:\WINDOWS\system32\crod.exe
Removed File! : C:\WINDOWS\system32\d3kh32.exe
Removed File! : C:\WINDOWS\system32\d3op.exe
Removed File! : C:\WINDOWS\system32\dipet.txt
Removed File! : C:\WINDOWS\system32\eplnv.txt
Removed File! : C:\WINDOWS\system32\fabfh.txt
Removed File! : C:\WINDOWS\system32\gdkdc.txt
Removed File! : C:\WINDOWS\system32\gyuws.dll
Removed File! : C:\WINDOWS\system32\hbpgl.txt
Removed File! : C:\WINDOWS\system32\iehb32.exe
Removed File! : C:\WINDOWS\system32\ipff.exe
Removed File! : C:\WINDOWS\system32\ipfw.dll
Removed File! : C:\WINDOWS\system32\ippj.exe
Removed File! : C:\WINDOWS\system32\ipxa.dll
Removed File! : C:\WINDOWS\system32\javaty32.dll
Removed File! : C:\WINDOWS\system32\jztyk.txt
Removed File! : C:\WINDOWS\system32\kfpvl.dll
Removed File! : C:\WINDOWS\system32\koexz.log
Removed File! : C:\WINDOWS\system32\kqbzp.txt
Removed File! : C:\WINDOWS\system32\lbjkq.dat
Removed File! : C:\WINDOWS\system32\mslo32.dll
Removed File! : C:\WINDOWS\system32\netiy.dll
Removed File! : C:\WINDOWS\system32\netxh32.exe
Removed File! : C:\WINDOWS\system32\nfrkf.txt
Removed File! : C:\WINDOWS\system32\ntdi32.dll
Removed File! : C:\WINDOWS\system32\qwyhd.dat
Removed File! : C:\WINDOWS\system32\rnsne.log
Removed File! : C:\WINDOWS\system32\sdkdf.exe
Removed File! : C:\WINDOWS\system32\sdkyi32.exe
Removed File! : C:\WINDOWS\system32\wintu.exe
Removed File! : C:\WINDOWS\system32\xbhbk.dll
Removed File! : C:\WINDOWS\system32\xqrdr.txt
Removed File! : C:\WINDOWS\system32\xuuox.txt
Removed File! : C:\WINDOWS\system32\zshkt.dat
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:32:02 PM






















(1/15/06 2:35:20 PM) SPSeHjFix started v1.1.2
(1/15/06 2:35:20 PM) OS: WinXP Service Pack 2 (5.1.2600)
(1/15/06 2:35:20 PM) Language: english
(1/15/06 2:35:20 PM) Win-Path: C:\WINDOWS
(1/15/06 2:35:20 PM) System-Path: C:\WINDOWS\system32
(1/15/06 2:35:20 PM) Temp-Path: C:\DOCUME~1\JAMAIC~1\LOCALS~1\Temp\
(1/15/06 2:35:22 PM) Disinfection started
(1/15/06 2:35:22 PM) Bad-Dll(IEP): (not found)
(1/15/06 2:35:22 PM) Bad-Dll(IEP) in BHO: (not found)
(1/15/06 2:35:22 PM) UBF: 7 - UBB: 20 - UBR: 10
(1/15/06 2:35:22 PM) UBF: 7 - UBB: 20 - UBR: 10
(1/15/06 2:35:22 PM) Bad IE-pages: (none)
(1/15/06 2:35:22 PM) Stealth-String not found
(1/15/06 2:35:22 PM) Not infected->END























Logfile of HijackThis v1.99.1
Scan saved at 2:42:02 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\jamaican_kidd\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-0000-49B3-AA38-D5725EB316C7} - (no file)
O2 - BHO: Class - {02B6F0C0-81BF-128A-F6DD-072EF4DAA259} - C:\WINDOWS\system32\crds32.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15FC6455-E111-59C5-D554-11557CAF2F1E} - (no file)
O2 - BHO: Class - {3C676AA3-DE9F-DD33-9708-60A5B7B91DD4} - C:\WINDOWS\system32\ipxa.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {68BA8E7B-48F1-E65F-C86B-FB26EE5902B5} - C:\WINDOWS\addje32.dll (file missing)
O2 - BHO: Class - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\atlqy.dll (file missing)
O2 - BHO: Class - {7DB3E683-977A-288C-4EB6-ADD266289B1A} - C:\WINDOWS\netzm32.dll (file missing)
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: Class - {9404FFB4-AA7A-A757-2FB5-29D6F452E365} - C:\WINDOWS\javamt.dll (file missing)
O2 - BHO: Class - {B29DB64D-9837-FB36-C3F8-5C2D6B2B3204} - C:\WINDOWS\system32\mslo32.dll (file missing)
O2 - BHO: Class - {B38F1730-B853-D9A7-5898-14CE893180C0} - C:\WINDOWS\system32\netiy.dll (file missing)
O2 - BHO: Class - {B9E394CA-9564-011C-9650-8855DA3C97AC} - C:\WINDOWS\system32\ipfw.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {BFC8E15D-A9D9-C737-3BFC-6E181D103960} - C:\WINDOWS\appgb.dll (file missing)
O2 - BHO: Class - {C5B61BDC-0B56-F5CE-80B3-EA952A978484} - C:\WINDOWS\system32\ntdi32.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: Class - {FA224A3B-80E3-FC4E-47BB-C7027C3BE4E9} - C:\WINDOWS\system32\javaty32.dll (file missing)
O2 - BHO: (no name) - {FF234288-3F3D-AAD1-5406-2B255A30CA94} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axin...all4110_sp2.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:21 AM

Posted 16 January 2006 - 07:36 AM

Ok, well let's do some general scanning before going to more specific instructions. You've still got a load of crap on the log. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

First, can you do this step again:

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

After this, run a scan with HijackThis and check & fix the following objects (with ALL the windows closed except for HJT itself):

O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com


Once done, close HJT and reboot.

After reboot, can you do all the following steps:

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6.)

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1) Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lavasoft.de.edgesuite.net/public/defs.zip

2) Set up the Configurations as follows:
  • Click the Gear wheel at the top of the Ad-Aware window
  • Click General > Safety & Settings: Check (Green) all three.
  • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3) Click on "Proceed"
4) Click on "Scan Now"
5) Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6) Select "Search for low-risk threats"
7) Run the scanner using the Full Scan (Perform full system scan) mode.
8) When the scan has completed, select Next.
9) In the Scanning Results window, select the "Scan Summary" tab.
10) Check the box next to every "target family" for removal.
11) Click "Next", Click "OK".
12) Reboot again.

Once again, after reboot, do the following:

Please download cureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot yet again after the scan.

Finally, this will be the last "general step" before going to another fresh HijackThis log:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply along with a fresh HijackThis log. :flowers:

Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:21 AM

Posted 12 February 2006 - 10:32 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users