Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Friends Computer

Started by Shattuc , Dec 17 2004 12:08 PM

  • This topic is locked This topic is locked
7 replies to this topic

#1 Shattuc

Shattuc

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Computer Security. Troubleshooting computer problems. Chess.<br />WoW.

Posted 17 December 2004 - 12:08 PM

First HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 1:35:28 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\SK9910DM.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
G:\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\inetm\winlogon.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Cursors\vssabr.exe
C:\WINDOWS\System32\nvsvc32.exe
G:\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\inetm\explorer.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\Documents and Settings\Doll.DOLLY\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlygoodsearch.com/10040/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DOLL~1.DOL\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rundlg32.dll
F3 - REG:win.ini: run=C:\WINDOWS\inetm\winlogon.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Doll\Application Data\Mozilla\Profiles\default\X0M8CH5P.SLT\prefs.js)
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rundlg32.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.02.05.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - (no file)
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rundlg32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\Web\baswin.exe
O4 - HKLM\..\Run: [*doclog] C:\WINDOWS\Cursors\doclog.exe
O4 - HKLM\..\Run: [*cabmain] C:\WINDOWS\Help\cabmain.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [*iisdos] C:\WINDOWS\msagent\iisdos.exe
O4 - HKLM\..\Run: [*basav] C:\WINDOWS\Registration\basav.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [*cas] C:\WINDOWS\Fonts\cas.exe
O4 - HKLM\..\Run: [*msnet] C:\WINDOWS\AppPatch\msnet.exe
O4 - HKLM\..\Run: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe
O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe
O4 - HKLM\..\Run: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe
O4 - HKLM\..\Run: [*docvss] C:\WINDOWS\AppPatch\docvss.exe
O4 - HKLM\..\Run: [*diskplay] C:\WINDOWS\Config\diskplay.exe
O4 - HKLM\..\Run: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe
O4 - HKLM\..\Run: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe
O4 - HKLM\..\Run: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe
O4 - HKLM\..\Run: [*msav] C:\WINDOWS\Help\msav.exe
O4 - HKLM\..\Run: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe
O4 - HKLM\..\Run: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe
O4 - HKLM\..\Run: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe
O4 - HKLM\..\Run: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe
O4 - HKLM\..\Run: [*accad] C:\WINDOWS\Fonts\accad.exe
O4 - HKLM\..\Run: [*inetrun] C:\WINDOWS\Config\inetrun.exe
O4 - HKLM\..\Run: [*svrrun] C:\WINDOWS\Cursors\svrrun.exe
O4 - HKLM\..\Run: [*taskfax] C:\WINDOWS\Registration\taskfax.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [*regiis] C:\WINDOWS\Help\Tours\htmlTour\regiis.exe
O4 - HKLM\..\Run: [*oles] C:\WINDOWS\java\Packages\oles.exe
O4 - HKLM\..\Run: [*faxlog] C:\WINDOWS\Registration\faxlog.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe
O4 - HKLM\..\Run: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe
O4 - HKLM\..\Run: [*iiss] C:\WINDOWS\Registration\iiss.exe
O4 - HKLM\..\Run: [*crs] C:\WINDOWS\Driver Cache\crs.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\Cursors\mainas.exe
O4 - HKLM\..\RunOnce: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe rerun
O4 - HKLM\..\RunOnce: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe rerun
O4 - HKLM\..\RunOnce: [*msav] C:\WINDOWS\Help\msav.exe rerun
O4 - HKLM\..\RunOnce: [*svrrun] C:\WINDOWS\Cursors\svrrun.exe rerun
O4 - HKLM\..\RunOnce: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe rerun
O4 - HKLM\..\RunOnce: [*mainas] C:\WINDOWS\Cursors\mainas.exe rerun
O4 - HKLM\..\RunOnce: [*iiss] C:\WINDOWS\Registration\iiss.exe rerun
O4 - HKLM\..\RunOnce: [*crs] C:\WINDOWS\Driver Cache\crs.exe rerun
O4 - HKLM\..\RunOnce: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe rerun
O4 - HKLM\..\RunOnce: [*oles] C:\WINDOWS\java\Packages\oles.exe rerun
O4 - HKLM\..\RunOnce: [*doclog] C:\WINDOWS\Cursors\doclog.exe rerun
O4 - HKLM\..\RunOnce: [*regiis] C:\WINDOWS\Help\Tours\htmlTour\regiis.exe rerun
O4 - HKLM\..\RunOnce: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe rerun
O4 - HKLM\..\RunOnce: [*accad] C:\WINDOWS\Fonts\accad.exe rerun
O4 - HKLM\..\RunOnce: [*basav] C:\WINDOWS\Registration\basav.exe rerun
O4 - HKLM\..\RunOnce: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe rerun
O4 - HKLM\..\RunOnce: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe rerun
O4 - HKLM\..\RunOnce: [*cabmain] C:\WINDOWS\Help\cabmain.exe rerun
O4 - HKLM\..\RunOnce: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe rerun
O4 - HKLM\..\RunOnce: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe rerun
O4 - HKLM\..\RunOnce: [*docvss] C:\WINDOWS\AppPatch\docvss.exe rerun
O4 - HKLM\..\RunOnce: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe rerun
O4 - HKLM\..\RunOnce: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe rerun
O4 - HKLM\..\RunOnce: [*faxlog] C:\WINDOWS\Registration\faxlog.exe rerun
O4 - HKLM\..\RunOnce: [*msnet] C:\WINDOWS\AppPatch\msnet.exe rerun
O4 - HKLM\..\RunOnce: [*diskplay] C:\WINDOWS\Config\diskplay.exe rerun
O4 - HKLM\..\RunOnce: [*baswin] C:\WINDOWS\Web\baswin.exe rerun
O4 - HKLM\..\RunOnce: [*inetrun] C:\WINDOWS\Config\inetrun.exe rerun
O4 - HKLM\..\RunOnce: [*iisdos] C:\WINDOWS\msagent\iisdos.exe rerun
O4 - HKLM\..\RunOnce: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe rerun
O4 - HKLM\..\RunOnce: [*cas] C:\WINDOWS\Fonts\cas.exe rerun
O4 - HKLM\..\RunOnce: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe rerun
O4 - HKLM\..\RunOnce: [*taskfax] C:\WINDOWS\Registration\taskfax.exe rerun
O4 - HKLM\..\RunOnce: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe rerun
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\Cursors\vssabr.exe ren
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ran Adaware, and Spybot, also took out the r1's and r0's with HJT.
second log:

Logfile of HijackThis v1.99.0
Scan saved at 2:08:37 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\inetm\winlogon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\SK9910DM.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
G:\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
G:\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Documents and Settings\Doll.DOLLY\Desktop\hjt\HijackThis.exe

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inetm\winlogon.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Doll\Application Data\Mozilla\Profiles\default\X0M8CH5P.SLT\prefs.js)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\Web\baswin.exe
O4 - HKLM\..\Run: [*doclog] C:\WINDOWS\Cursors\doclog.exe
O4 - HKLM\..\Run: [*cabmain] C:\WINDOWS\Help\cabmain.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [*iisdos] C:\WINDOWS\msagent\iisdos.exe
O4 - HKLM\..\Run: [*basav] C:\WINDOWS\Registration\basav.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [*cas] C:\WINDOWS\Fonts\cas.exe
O4 - HKLM\..\Run: [*msnet] C:\WINDOWS\AppPatch\msnet.exe
O4 - HKLM\..\Run: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe
O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe
O4 - HKLM\..\Run: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe
O4 - HKLM\..\Run: [*docvss] C:\WINDOWS\AppPatch\docvss.exe
O4 - HKLM\..\Run: [*diskplay] C:\WINDOWS\Config\diskplay.exe
O4 - HKLM\..\Run: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe
O4 - HKLM\..\Run: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe
O4 - HKLM\..\Run: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe
O4 - HKLM\..\Run: [*msav] C:\WINDOWS\Help\msav.exe
O4 - HKLM\..\Run: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe
O4 - HKLM\..\Run: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe
O4 - HKLM\..\Run: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe
O4 - HKLM\..\Run: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe
O4 - HKLM\..\Run: [*accad] C:\WINDOWS\Fonts\accad.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [*oles] C:\WINDOWS\java\Packages\oles.exe
O4 - HKLM\..\Run: [*faxlog] C:\WINDOWS\Registration\faxlog.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe
O4 - HKLM\..\Run: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe
O4 - HKLM\..\Run: [*iiss] C:\WINDOWS\Registration\iiss.exe
O4 - HKLM\..\Run: [*crs] C:\WINDOWS\Driver Cache\crs.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\Cursors\mainas.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe
O4 - HKLM\..\RunOnce: [*cabmain] C:\WINDOWS\Help\cabmain.exe rerun
O4 - HKLM\..\RunOnce: [*baswin] C:\WINDOWS\Web\baswin.exe rerun
O4 - HKLM\..\RunOnce: [*cas] C:\WINDOWS\Fonts\cas.exe rerun
O4 - HKLM\..\RunOnce: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe rerun
O4 - HKLM\..\RunOnce: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe rerun
O4 - HKLM\..\RunOnce: [*doclog] C:\WINDOWS\Cursors\doclog.exe rerun
O4 - HKLM\..\RunOnce: [*msnet] C:\WINDOWS\AppPatch\msnet.exe rerun
O4 - HKLM\..\RunOnce: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe rerun
O4 - HKLM\..\RunOnce: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe rerun
O4 - HKLM\..\RunOnce: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe rerun
O4 - HKLM\..\RunOnce: [*faxlog] C:\WINDOWS\Registration\faxlog.exe rerun
O4 - HKLM\..\RunOnce: [*accad] C:\WINDOWS\Fonts\accad.exe rerun
O4 - HKLM\..\RunOnce: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe rerun
O4 - HKLM\..\RunOnce: [*mainas] C:\WINDOWS\Cursors\mainas.exe rerun
O4 - HKLM\..\RunOnce: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe rerun
O4 - HKLM\..\RunOnce: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe rerun
O4 - HKLM\..\RunOnce: [*crs] C:\WINDOWS\Driver Cache\crs.exe rerun
O4 - HKLM\..\RunOnce: [*iiss] C:\WINDOWS\Registration\iiss.exe rerun
O4 - HKLM\..\RunOnce: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe rerun
O4 - HKLM\..\RunOnce: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe rerun
O4 - HKLM\..\RunOnce: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe rerun
O4 - HKLM\..\RunOnce: [*iisdos] C:\WINDOWS\msagent\iisdos.exe rerun
O4 - HKLM\..\RunOnce: [*basav] C:\WINDOWS\Registration\basav.exe rerun
O4 - HKLM\..\RunOnce: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe rerun
O4 - HKLM\..\RunOnce: [*oles] C:\WINDOWS\java\Packages\oles.exe rerun
O4 - HKLM\..\RunOnce: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe rerun
O4 - HKLM\..\RunOnce: [*docvss] C:\WINDOWS\AppPatch\docvss.exe rerun
O4 - HKLM\..\RunOnce: [*diskplay] C:\WINDOWS\Config\diskplay.exe rerun
O4 - HKLM\..\RunOnce: [*msav] C:\WINDOWS\Help\msav.exe rerun
O4 - HKLM\..\RunOnce: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe rerun
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Fixed r3 line with HJT, ran Stinger, can't find a certain program I have on my main system.

next log.

Logfile of HijackThis v1.99.0
Scan saved at 11:06:06 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\inetm\winlogon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\SK9910DM.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
G:\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
G:\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Doll.DOLLY\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F3 - REG:win.ini: run=C:\WINDOWS\inetm\winlogon.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Doll\Application Data\Mozilla\Profiles\default\X0M8CH5P.SLT\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\Web\baswin.exe
O4 - HKLM\..\Run: [*doclog] C:\WINDOWS\Cursors\doclog.exe
O4 - HKLM\..\Run: [*cabmain] C:\WINDOWS\Help\cabmain.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [*iisdos] C:\WINDOWS\msagent\iisdos.exe
O4 - HKLM\..\Run: [*basav] C:\WINDOWS\Registration\basav.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [*cas] C:\WINDOWS\Fonts\cas.exe
O4 - HKLM\..\Run: [*msnet] C:\WINDOWS\AppPatch\msnet.exe
O4 - HKLM\..\Run: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe
O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe
O4 - HKLM\..\Run: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe
O4 - HKLM\..\Run: [*docvss] C:\WINDOWS\AppPatch\docvss.exe
O4 - HKLM\..\Run: [*diskplay] C:\WINDOWS\Config\diskplay.exe
O4 - HKLM\..\Run: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe
O4 - HKLM\..\Run: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe
O4 - HKLM\..\Run: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe
O4 - HKLM\..\Run: [*msav] C:\WINDOWS\Help\msav.exe
O4 - HKLM\..\Run: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe
O4 - HKLM\..\Run: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe
O4 - HKLM\..\Run: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe
O4 - HKLM\..\Run: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe
O4 - HKLM\..\Run: [*accad] C:\WINDOWS\Fonts\accad.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [*oles] C:\WINDOWS\java\Packages\oles.exe
O4 - HKLM\..\Run: [*faxlog] C:\WINDOWS\Registration\faxlog.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe
O4 - HKLM\..\Run: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe
O4 - HKLM\..\Run: [*iiss] C:\WINDOWS\Registration\iiss.exe
O4 - HKLM\..\Run: [*crs] C:\WINDOWS\Driver Cache\crs.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\Cursors\mainas.exe
O4 - HKLM\..\Run: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe
O4 - HKLM\..\RunOnce: [*cabmain] C:\WINDOWS\Help\cabmain.exe rerun
O4 - HKLM\..\RunOnce: [*baswin] C:\WINDOWS\Web\baswin.exe rerun
O4 - HKLM\..\RunOnce: [*cas] C:\WINDOWS\Fonts\cas.exe rerun
O4 - HKLM\..\RunOnce: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe rerun
O4 - HKLM\..\RunOnce: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe rerun
O4 - HKLM\..\RunOnce: [*doclog] C:\WINDOWS\Cursors\doclog.exe rerun
O4 - HKLM\..\RunOnce: [*msnet] C:\WINDOWS\AppPatch\msnet.exe rerun
O4 - HKLM\..\RunOnce: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe rerun
O4 - HKLM\..\RunOnce: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe rerun
O4 - HKLM\..\RunOnce: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe rerun
O4 - HKLM\..\RunOnce: [*faxlog] C:\WINDOWS\Registration\faxlog.exe rerun
O4 - HKLM\..\RunOnce: [*accad] C:\WINDOWS\Fonts\accad.exe rerun
O4 - HKLM\..\RunOnce: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe rerun
O4 - HKLM\..\RunOnce: [*mainas] C:\WINDOWS\Cursors\mainas.exe rerun
O4 - HKLM\..\RunOnce: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe rerun
O4 - HKLM\..\RunOnce: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe rerun
O4 - HKLM\..\RunOnce: [*crs] C:\WINDOWS\Driver Cache\crs.exe rerun
O4 - HKLM\..\RunOnce: [*iiss] C:\WINDOWS\Registration\iiss.exe rerun
O4 - HKLM\..\RunOnce: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe rerun
O4 - HKLM\..\RunOnce: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe rerun
O4 - HKLM\..\RunOnce: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe rerun
O4 - HKLM\..\RunOnce: [*iisdos] C:\WINDOWS\msagent\iisdos.exe rerun
O4 - HKLM\..\RunOnce: [*basav] C:\WINDOWS\Registration\basav.exe rerun
O4 - HKLM\..\RunOnce: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe rerun
O4 - HKLM\..\RunOnce: [*oles] C:\WINDOWS\java\Packages\oles.exe rerun
O4 - HKLM\..\RunOnce: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe rerun
O4 - HKLM\..\RunOnce: [*docvss] C:\WINDOWS\AppPatch\docvss.exe rerun
O4 - HKLM\..\RunOnce: [*diskplay] C:\WINDOWS\Config\diskplay.exe rerun
O4 - HKLM\..\RunOnce: [*msav] C:\WINDOWS\Help\msav.exe rerun
O4 - HKLM\..\RunOnce: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe rerun
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I don't know what to do now, I installed Spyware Guard, and reset the start page on IE, but I keep getting a popup that wants to reset the home page, but spyware guard is preventing it.
How Did I Get Infected?

    Advertisements

Register to Remove

#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 December 2004 - 12:20 PM

Download FxAgentB.exe from HERE and save it to your desktop. After downloading, double-click the FxAgentB file to run it and the program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later. Reboot when done.

Next click HERE to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1. Reboot when done.

Then click HERE to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HijackThis and post a new log here, together with the FxAgentB log.

#3 Shattuc

Shattuc

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Computer Security. Troubleshooting computer problems. Chess.<br />WoW.

Posted 17 December 2004 - 01:11 PM

Logfile of HijackThis v1.99.0 Scan saved at 12:09:03 PM, on 12/17/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE C:\Program Files\Executive Software\DiskeeperServer\DKService.exe C:\PROGRA~1\VCOM\Fix-It\mxtask.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\inetm\winlogon.exe G:\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\SK9910DM.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe G:\NORTON~1\NORTON~1\navapw32.exe C:\PROGRA~1\VCOM\Fix-It\mxtask.exe C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\AOL Companion\companion.exe C:\WINDOWS\FSScrCtl.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Documents and Settings\Doll.DOLLY\Desktop\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com F3 - REG:win.ini: run=C:\WINDOWS\inetm\winlogon.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Doll\Application Data\Mozilla\Profiles\default\X0M8CH5P.SLT\prefs.js) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\Web\baswin.exe O4 - HKLM\..\Run: [*doclog] C:\WINDOWS\Cursors\doclog.exe O4 - HKLM\..\Run: [*cabmain] C:\WINDOWS\Help\cabmain.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe O4 - HKLM\..\Run: [*iisdos] C:\WINDOWS\msagent\iisdos.exe O4 - HKLM\..\Run: [*basav] C:\WINDOWS\Registration\basav.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [*cas] C:\WINDOWS\Fonts\cas.exe O4 - HKLM\..\Run: [*msnet] C:\WINDOWS\AppPatch\msnet.exe O4 - HKLM\..\Run: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe O4 - HKLM\..\Run: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe O4 - HKLM\..\Run: [*docvss] C:\WINDOWS\AppPatch\docvss.exe O4 - HKLM\..\Run: [*diskplay] C:\WINDOWS\Config\diskplay.exe O4 - HKLM\..\Run: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe O4 - HKLM\..\Run: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe O4 - HKLM\..\Run: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe O4 - HKLM\..\Run: [*msav] C:\WINDOWS\Help\msav.exe O4 - HKLM\..\Run: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe O4 - HKLM\..\Run: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe O4 - HKLM\..\Run: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe O4 - HKLM\..\Run: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe O4 - HKLM\..\Run: [*accad] C:\WINDOWS\Fonts\accad.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [*oles] C:\WINDOWS\java\Packages\oles.exe O4 - HKLM\..\Run: [*faxlog] C:\WINDOWS\Registration\faxlog.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe O4 - HKLM\..\Run: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe O4 - HKLM\..\Run: [*iiss] C:\WINDOWS\Registration\iiss.exe O4 - HKLM\..\Run: [*crs] C:\WINDOWS\Driver Cache\crs.exe O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\Cursors\mainas.exe O4 - HKLM\..\Run: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe O4 - HKLM\..\RunOnce: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe rerun O4 - HKLM\..\RunOnce: [*baswin] C:\WINDOWS\Web\baswin.exe rerun O4 - HKLM\..\RunOnce: [*doclog] C:\WINDOWS\Cursors\doclog.exe rerun O4 - HKLM\..\RunOnce: [*cabmain] C:\WINDOWS\Help\cabmain.exe rerun O4 - HKLM\..\RunOnce: [*iisdos] C:\WINDOWS\msagent\iisdos.exe rerun O4 - HKLM\..\RunOnce: [*basav] C:\WINDOWS\Registration\basav.exe rerun O4 - HKLM\..\RunOnce: [*cas] C:\WINDOWS\Fonts\cas.exe rerun O4 - HKLM\..\RunOnce: [*msnet] C:\WINDOWS\AppPatch\msnet.exe rerun O4 - HKLM\..\RunOnce: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe rerun O4 - HKLM\..\RunOnce: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe rerun O4 - HKLM\..\RunOnce: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe rerun O4 - HKLM\..\RunOnce: [*docvss] C:\WINDOWS\AppPatch\docvss.exe rerun O4 - HKLM\..\RunOnce: [*diskplay] C:\WINDOWS\Config\diskplay.exe rerun O4 - HKLM\..\RunOnce: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe rerun O4 - HKLM\..\RunOnce: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe rerun O4 - HKLM\..\RunOnce: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe rerun O4 - HKLM\..\RunOnce: [*msav] C:\WINDOWS\Help\msav.exe rerun O4 - HKLM\..\RunOnce: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe rerun O4 - HKLM\..\RunOnce: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe rerun O4 - HKLM\..\RunOnce: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe rerun O4 - HKLM\..\RunOnce: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe rerun O4 - HKLM\..\RunOnce: [*accad] C:\WINDOWS\Fonts\accad.exe rerun O4 - HKLM\..\RunOnce: [*oles] C:\WINDOWS\java\Packages\oles.exe rerun O4 - HKLM\..\RunOnce: [*faxlog] C:\WINDOWS\Registration\faxlog.exe rerun O4 - HKLM\..\RunOnce: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe rerun O4 - HKLM\..\RunOnce: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe rerun O4 - HKLM\..\RunOnce: [*iiss] C:\WINDOWS\Registration\iiss.exe rerun O4 - HKLM\..\RunOnce: [*crs] C:\WINDOWS\Driver Cache\crs.exe rerun O4 - HKLM\..\RunOnce: [*mainas] C:\WINDOWS\Cursors\mainas.exe rerun O4 - HKLM\..\RunOnce: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe rerun O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - G:\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Symantec Backdoor.Agent.B Removal Tool 1.0.1.2 D:\System Volume Information: (not scanned) G:\System Volume Information: (not scanned) Backdoor.Agent.B has not been found on your computer. Adaware found 168 items previously, fixed 166 of them, this run found 415, fixed 398.
How Did I Get Infected?

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 December 2004 - 01:24 PM

Please make teatimer is disabled >>> http://russelltexas....re/teatimer.htm

Then open task manager and stop process on these files if present.

C:\WINDOWS\Tasks\imgdns.exe
C:\WINDOWS\Web\baswin.exe
C:\WINDOWS\Cursors\doclog.exe
C:\WINDOWS\Help\cabmain.exe
C:\WINDOWS\inetm\winlogon.exe
C:\WINDOWS\msagent\iisdos.exe
C:\WINDOWS\Registration\basav.exe
C:\WINDOWS\Fonts\cas.exe
C:\WINDOWS\AppPatch\msnet.exe
C:\WINDOWS\ServicePackFiles\crlog.exe
C:\WINDOWS\system\Crescendo\infomp3.exe
C:\WINDOWS\system32\tenarchlib\crole.exe
C:\WINDOWS\AppPatch\docvss.exe
C:\WINDOWS\Config\diskplay.exe
C:\WINDOWS\security\templates\tapieula.exe
C:\WINDOWS\Tasks\dllsys.exe
C:\WINDOWS\AppPatch\rasnet.exe
C:\WINDOWS\Help\msav.exe
C:\WINDOWS\system\Drivers\odbcreg.exe
C:\WINDOWS\Tasks\wavevb.exe
C:\WINDOWS\inf\INFBACK\catrun.exe
C:\WINDOWS\AppPatch\jpegkey.exe
C:\WINDOWS\Fonts\accad.exe
C:\WINDOWS\java\Packages\oles.exe
C:\WINDOWS\Registration\faxlog.exe
C:\WINDOWS\msagent\CHARS\fontplay.exe
C:\WINDOWS\system\Crescendo\tapimfc.exe
C:\WINDOWS\Registration\iiss.exe
C:\WINDOWS\Driver Cache\crs.exe
C:\WINDOWS\Cursors\mainas.exe
C:\WINDOWS\Fonts\tcpsrv.exe

Then scan with hijackthis and put a check beside these lines and choose FIX.

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe
O4 - HKLM\..\Run: [*baswin] C:\WINDOWS\Web\baswin.exe
O4 - HKLM\..\Run: [*doclog] C:\WINDOWS\Cursors\doclog.exe
O4 - HKLM\..\Run: [*cabmain] C:\WINDOWS\Help\cabmain.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe
O4 - HKLM\..\Run: [*iisdos] C:\WINDOWS\msagent\iisdos.exe
O4 - HKLM\..\Run: [*basav] C:\WINDOWS\Registration\basav.exe
O4 - HKLM\..\Run: [*cas] C:\WINDOWS\Fonts\cas.exe
O4 - HKLM\..\Run: [*msnet] C:\WINDOWS\AppPatch\msnet.exe
O4 - HKLM\..\Run: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe
O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe
O4 - HKLM\..\Run: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe
O4 - HKLM\..\Run: [*docvss] C:\WINDOWS\AppPatch\docvss.exe
O4 - HKLM\..\Run: [*diskplay] C:\WINDOWS\Config\diskplay.exe
O4 - HKLM\..\Run: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe
O4 - HKLM\..\Run: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe
O4 - HKLM\..\Run: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe
O4 - HKLM\..\Run: [*msav] C:\WINDOWS\Help\msav.exe
O4 - HKLM\..\Run: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe
O4 - HKLM\..\Run: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe
O4 - HKLM\..\Run: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe
O4 - HKLM\..\Run: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe
O4 - HKLM\..\Run: [*accad] C:\WINDOWS\Fonts\accad.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [*oles] C:\WINDOWS\java\Packages\oles.exe
O4 - HKLM\..\Run: [*faxlog] C:\WINDOWS\Registration\faxlog.exe
O4 - HKLM\..\Run: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe
O4 - HKLM\..\Run: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe
O4 - HKLM\..\Run: [*iiss] C:\WINDOWS\Registration\iiss.exe
O4 - HKLM\..\Run: [*crs] C:\WINDOWS\Driver Cache\crs.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\Cursors\mainas.exe
O4 - HKLM\..\Run: [*tcpsrv] C:\WINDOWS\Fonts\tcpsrv.exe
O4 - HKLM\..\RunOnce: [*imgdns] C:\WINDOWS\Tasks\imgdns.exe rerun
O4 - HKLM\..\RunOnce: [*baswin] C:\WINDOWS\Web\baswin.exe rerun
O4 - HKLM\..\RunOnce: [*doclog] C:\WINDOWS\Cursors\doclog.exe rerun
O4 - HKLM\..\RunOnce: [*cabmain] C:\WINDOWS\Help\cabmain.exe rerun
O4 - HKLM\..\RunOnce: [*iisdos] C:\WINDOWS\msagent\iisdos.exe rerun
O4 - HKLM\..\RunOnce: [*basav] C:\WINDOWS\Registration\basav.exe rerun
O4 - HKLM\..\RunOnce: [*cas] C:\WINDOWS\Fonts\cas.exe rerun
O4 - HKLM\..\RunOnce: [*msnet] C:\WINDOWS\AppPatch\msnet.exe rerun
O4 - HKLM\..\RunOnce: [*crlog] C:\WINDOWS\ServicePackFiles\crlog.exe rerun
O4 - HKLM\..\RunOnce: [*infomp3] C:\WINDOWS\system\Crescendo\infomp3.exe rerun
O4 - HKLM\..\RunOnce: [*crole] C:\WINDOWS\system32\tenarchlib\crole.exe rerun
O4 - HKLM\..\RunOnce: [*docvss] C:\WINDOWS\AppPatch\docvss.exe rerun
O4 - HKLM\..\RunOnce: [*diskplay] C:\WINDOWS\Config\diskplay.exe rerun
O4 - HKLM\..\RunOnce: [*tapieula] C:\WINDOWS\security\templates\tapieula.exe rerun
O4 - HKLM\..\RunOnce: [*rasnet] C:\WINDOWS\AppPatch\rasnet.exe rerun
O4 - HKLM\..\RunOnce: [*dllsys] C:\WINDOWS\Tasks\dllsys.exe rerun
O4 - HKLM\..\RunOnce: [*msav] C:\WINDOWS\Help\msav.exe rerun
O4 - HKLM\..\RunOnce: [*odbcreg] C:\WINDOWS\system\Drivers\odbcreg.exe rerun
O4 - HKLM\..\RunOnce: [*wavevb] C:\WINDOWS\Tasks\wavevb.exe rerun
O4 - HKLM\..\RunOnce: [*catrun] C:\WINDOWS\inf\INFBACK\catrun.exe rerun
O4 - HKLM\..\RunOnce: [*jpegkey] C:\WINDOWS\AppPatch\jpegkey.exe rerun
O4 - HKLM\..\RunOnce: [*accad] C:\WINDOWS\Fonts\accad.exe rerun
O4 - HKLM\..\RunOnce: [*oles] C:\WINDOWS\java\Packages\oles.exe rerun
O4 - HKLM\..\RunOnce: [*faxlog] C:\WINDOWS\Registration\faxlog.exe rerun
O4 - HKLM\..\RunOnce: [*fontplay] C:\WINDOWS\msagent\CHARS\fontplay.exe rerun
O4 - HKLM\..\RunOnce: [*tapimfc] C:\WINDOWS\system\Crescendo\tapimfc.exe rerun
O4 - HKLM\..\RunOnce: [*iiss] C:\WINDOWS\Registration\iiss.exe rerun
O4 - HKLM\..\RunOnce: [*crs] C:\WINDOWS\Driver Cache\crs.exe rerun
O4 - HKLM\..\RunOnce: [*mainas] C:\WINDOWS\Cursors\mainas.exe rerun

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\winlogon.exe

Then reboot to safe mode and look for and delete these files if present

C:\WINDOWS\Tasks\imgdns.exe
C:\WINDOWS\Web\baswin.exe
C:\WINDOWS\Cursors\doclog.exe
C:\WINDOWS\Help\cabmain.exe
C:\WINDOWS\inetm\winlogon.exe
C:\WINDOWS\msagent\iisdos.exe
C:\WINDOWS\Registration\basav.exe
C:\WINDOWS\Fonts\cas.exe
C:\WINDOWS\AppPatch\msnet.exe
C:\WINDOWS\ServicePackFiles\crlog.exe
C:\WINDOWS\system\Crescendo\infomp3.exe
C:\WINDOWS\system32\tenarchlib\crole.exe
C:\WINDOWS\AppPatch\docvss.exe
C:\WINDOWS\Config\diskplay.exe
C:\WINDOWS\security\templates\tapieula.exe
C:\WINDOWS\Tasks\dllsys.exe
C:\WINDOWS\AppPatch\rasnet.exe
C:\WINDOWS\Help\msav.exe
C:\WINDOWS\system\Drivers\odbcreg.exe
C:\WINDOWS\Tasks\wavevb.exe
C:\WINDOWS\inf\INFBACK\catrun.exe
C:\WINDOWS\AppPatch\jpegkey.exe
C:\WINDOWS\Fonts\accad.exe
C:\WINDOWS\java\Packages\oles.exe
C:\WINDOWS\Registration\faxlog.exe
C:\WINDOWS\msagent\CHARS\fontplay.exe
C:\WINDOWS\system\Crescendo\tapimfc.exe
C:\WINDOWS\Registration\iiss.exe
C:\WINDOWS\Driver Cache\crs.exe
C:\WINDOWS\Cursors\mainas.exe
C:\WINDOWS\Fonts\tcpsrv.exe

C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
C:\WINDOWS\inetm\winlogon.exe

Trhen reboot and please do an online scan here >>> http://www.pandasoft...n_principal.htm

Then reboot and post a new log.

#5 Shattuc

Shattuc

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Computer Security. Troubleshooting computer problems. Chess.<br />WoW.

Posted 17 December 2004 - 02:26 PM

could not find the following C:\WINDOWS\Fonts\cas.exe C:\WINDOWS\Tasks\imgdns.exe C:\WINDOWS\Tasks\dllsys.exe C:\WINDOWS\Tasks\wavevb.exe C:\WINDOWS\inf\INFBACK\catrun.exe C:\WINDOWS\Fonts\accad.exe C:\WINDOWS\Fonts\tcpsrv.exe C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1 I believe the owner of the computer would like to leave weatherbug. I could not determine how to show hidden files or folders. if the files are still present in the folders, they are very well hidden. re ran Adaware, found and removed 8 items. 6 of which were CWS related. re ran CWShredder found nothing. how does it look now? Logfile of HijackThis v1.99.0 Scan saved at 1:21:43 PM, on 12/17/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE C:\Program Files\Executive Software\DiskeeperServer\DKService.exe C:\PROGRA~1\VCOM\Fix-It\mxtask.exe C:\WINDOWS\System32\nvsvc32.exe G:\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\VCOM\Fix-It\mxtask.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\SK9910DM.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe G:\NORTON~1\NORTON~1\navapw32.exe C:\Program Files\AOL Companion\companion.exe C:\WINDOWS\FSScrCtl.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Documents and Settings\Doll.DOLLY\Desktop\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Doll\Application Data\Mozilla\Profiles\default\X0M8CH5P.SLT\prefs.js) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [NAV Agent] G:\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - G:\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
How Did I Get Infected?

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 December 2004 - 02:30 PM

That looks a lot better :D How is it running?

#7 Shattuc

Shattuc

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Computer Security. Troubleshooting computer problems. Chess.<br />WoW.

Posted 17 December 2004 - 07:58 PM

Thanks alot Siggyx. The functionality of the computer was never really a problem, just random pop ups, and browser hijacks. but the hijack attempts have stopped, and IE is under control again. This can be moved to Solved.
How Did I Get Infected?

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 December 2004 - 08:01 PM

No Problem :D

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for e-mail)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·