WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

coolwwwsearch? popups, ad/spyware - please help, here's my HijackT

Started by seren1 , Jan 03 2006 01:37 PM

This topic is locked

11 replies to this topic

#1 seren1

New Member

New Member
6 posts

Posted 03 January 2006 - 01:37 PM

Hello,

My daughter's computer has picked up a nasty virus or spyware that I can't seem to remedy. Have tried Spybot S&D, which I thought worked, but the popups still occur, and a bar saying the computer is infected keeps blocking the title bar of internet windows. There is also a coolwwwsearch item that cannot be removed.
Also, there is a suspicious new icon in the lower right of the screen that keeps alerting there is spyware, and to click here.
I'm not well-versed in these matters, and my daughter is only five -- I have no idea what she clicked on to get this, as her computer isn't set up for email, but is for the internet. I have an idea that she maybe clicked the alert bubble from that icon.
I will be installing firefox as her browser once I get this problem fixed.

I've downloaded and ran Hijack This on her computer - here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:43:04 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\iehz.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\sysry32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {017A0FF7-26F5-7344-C985-64575DDA97DD} - C:\WINDOWS\appld32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E4CBB05-BB4B-5EB7-6197-AE4117072F99} - (no file)
O2 - BHO: (no name) - {32595590-FC8D-0911-6A43-ECE66FB11BBF} - (no file)
O2 - BHO: Class - {378AE8EE-0426-C141-F3C8-F6BD25766BFA} - C:\WINDOWS\iedp.dll
O2 - BHO: Class - {4B49C233-41E6-542A-7DCB-BB3C0869BABE} - C:\WINDOWS\system32\d3jy.dll
O2 - BHO: Class - {4EE6E8A9-A6D3-0E71-5989-4F8D1DEDB279} - C:\WINDOWS\sdknm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7F33EE95-71F6-CC46-9B9F-9B4D5BE2D80B} - (no file)
O2 - BHO: (no name) - {95BB3438-0B60-B4FB-A68F-174D498229E8} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ntss.exe] C:\WINDOWS\system32\ntss.exe
O4 - HKLM\..\Run: [iehz.exe] C:\WINDOWS\system32\iehz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma....in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma..../bin/cabsa.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you so much, your website has a wealth of information and resources!

Advertisements

Register to Remove

#2 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 03 January 2006 - 09:13 PM

The Fix:

Step#1:Getting Ready

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.

Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip

Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet

Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...AboutBuster.zip

2. Once it is downloaded extract it to c:\aboutbuster.

3. Check to make sure it is up-to-date. Please Do NOT use it yet

Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key

Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet

Download and install Ewido security suite
Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use.
When it prompts you to update, click the OK button.
download the updates and when they are finished installing, close the window
Please Do Not Use It Yet

Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet

Please download the following zip file to your desktop:
HSfix
Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
Do Not Use It Yet

Please disconnect from the Internet

Step#7:Disable The Bad Service ** Very Important!!**

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
Click on start > control panel > administrative programs > services. Look for a service called Network Security Service . Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step#8:Stop The Running Processes

Press control-alt-delete to get into the task manager and end the following processes if they exist:

sysry32.exe
ntss.exe
iehz.exe

Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files:

C:\WINDOWS\tfjol.dll
C:\WINDOWS\appld32.dll
C:\WINDOWS\iedp.dll
C:\WINDOWS\system32\d3jy.dll
C:\WINDOWS\sdknm32.dll
C:\WINDOWS\sysry32.exe
C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
C:\WINDOWS\system32\ntss.exe
C:\WINDOWS\system32\iehz.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tfjol.dll/sp.html#88449%resultposition.net

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {017A0FF7-26F5-7344-C985-64575DDA97DD} - C:\WINDOWS\appld32.dll
O2 - BHO: (no name) - {0E4CBB05-BB4B-5EB7-6197-AE4117072F99} - (no file)
O2 - BHO: (no name) - {32595590-FC8D-0911-6A43-ECE66FB11BBF} - (no file)
O2 - BHO: Class - {378AE8EE-0426-C141-F3C8-F6BD25766BFA} - C:\WINDOWS\iedp.dll
O2 - BHO: Class - {4B49C233-41E6-542A-7DCB-BB3C0869BABE} - C:\WINDOWS\system32\d3jy.dll
O2 - BHO: Class - {4EE6E8A9-A6D3-0E71-5989-4F8D1DEDB279} - C:\WINDOWS\sdknm32.dll
O2 - BHO: (no name) - {7F33EE95-71F6-CC46-9B9F-9B4D5BE2D80B} - (no file)
O2 - BHO: (no name) - {95BB3438-0B60-B4FB-A68F-174D498229E8} - (no file)

O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\user1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [ntss.exe] C:\WINDOWS\system32\ntss.exe
O4 - HKLM\..\Run: [iehz.exe] C:\WINDOWS\system32\iehz.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe

click "fix checked"

Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Step#12: Use the HSfix.reg file

Navigate to the HSfix folder on your Desktop
Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it

Step#13:Fixing With CWShredder

CLOSE ALL WINDOWS except CWShredder
Run the program by clicking 'fix' and letting it fix all CWS remnants.

Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory
double-click on aboutbuster.exe
When the tool opens press the OK button, then Start button, then the OK button
then finally the Yes button. It will start scanning your computer for files.
If it asks if you would like to do a second pass, allow it to do so.
Post the log file in your next reply

Step#15:Scan With Ewido Security Suite

Launch Ewido again
Click on Scanner>Complete System Scan.
Let the program scan your PC.
When the scan asks to clean files click OK.
When scan is completed, click Save report. to your desktop.
Post the report in your next reply.

Reboot your computer back to normal mode and

Reconnect To The Internet

Step#16:Scan and Post a New HJT log with other logs

Scan again with HijackThis.
Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into.
There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

#3 seren1

New Member

New Member
6 posts

Posted 04 January 2006 - 01:01 AM

Thanks so much for your help,

I have followed your instructions and hopefully have the results you expect --
Notes: 1) In step#9, I could not find the file named C:\WINDOWS\system32\ntss.exe (saw a file called NTSS.EXE-14650D5C.pf in folder C:\WINDOWS\Prefetch, but did not delete it).
2) In step#10, the entry 'O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysry32.exe' did not come up when I ran HijackThis.

Otherwise, all went smoothly. Jeez, what a mess!

Here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:43:21 AM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

_______________________

Here is the About Buster log:

AboutBuster 6.0
Scan started on [1/4/2006] at [1:12:05 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:fjifa
Removed Stream! C:\WINDOWS\control.ini:provly
Removed Stream! C:\WINDOWS\desktop.ini:yjbkvt
Removed Stream! C:\WINDOWS\FaxSetup.log:qctpxv
Removed Stream! C:\WINDOWS\FaxSetup.log:twasbq
Removed Stream! C:\WINDOWS\Greenstone.bmp:lwsfvb
Removed Stream! C:\WINDOWS\Greenstone.bmp:vvtrei
Removed Stream! C:\WINDOWS\KB873333.log:ovexgs
Removed Stream! C:\WINDOWS\KB885835.log:gwwkau
Removed Stream! C:\WINDOWS\KB899587.log:lbrpx
Removed Stream! C:\WINDOWS\KB905414.log:sthfmh
Removed Stream! C:\WINDOWS\KB910437.log:ktzkhj
Removed Stream! C:\WINDOWS\KB910437.log:yxpgeu
Removed Stream! C:\WINDOWS\MedCtrOC.log:qxitgf
Removed Stream! C:\WINDOWS\QTFont.for:ktzkhj
Removed Stream! C:\WINDOWS\QTFont.qfn:wvwmth
Removed Stream! C:\WINDOWS\REGLOCS.OLD:dukpju
Removed Stream! C:\WINDOWS\regopt.log:pwhaos
Removed Stream! C:\WINDOWS\setuperr.log:ehkxam
Removed Stream! C:\WINDOWS\sthfm.log:xivkdw
Removed Stream! C:\WINDOWS\system.ini:leecpw
Removed Stream! C:\WINDOWS\updspapi.log:efxqrg
-------------------------------------------------------------
Removed File! : C:\WINDOWS\cgnhc.log
Removed File! : C:\WINDOWS\sdkhx32.exe
Removed File! : C:\WINDOWS\sthfm.log
Removed File! : C:\WINDOWS\ttovy.dat
Removed File! : C:\WINDOWS\vvddd.txt
Removed File! : C:\WINDOWS\system32\apijw32.exe
Removed File! : C:\WINDOWS\system32\atlvi32.exe
Removed File! : C:\WINDOWS\system32\crurs.dat
Removed File! : C:\WINDOWS\system32\gqajg.log
Removed File! : C:\WINDOWS\system32\gwwka.dat
Removed File! : C:\WINDOWS\system32\mfcnz.exe
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:14:44 AM

AboutBuster 6.0
Scan started on [1/4/2006] at [1:16:11 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:17:50 AM

_____________________________________

And here is the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:36:52 AM, 1/4/2006
+ Report-Checksum: D448DA7

+ Scan result:

C:\RECYCLER\NPROTECT\00000365.dll -> Adware.SpySheriff : Cleaned with backup
C:\RECYCLER\NPROTECT\00000367.DLL -> Spyware.SpywareNo : Cleaned with backup
C:\RECYCLER\NPROTECT\00000369.dll -> Adware.SpySheriff : Cleaned with backup
C:\RECYCLER\NPROTECT\00001014.EXE -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\RECYCLER\NPROTECT\00001260.exe -> Downloader.Agent.td : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc2.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc3.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc4.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc5.dll -> Downloader.Agent.bc : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc6.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\S-1-5-21-1214440339-1425521274-682003330-1003\Dc8.exe -> Downloader.Agent.td : Cleaned with backup

::Report End

Please let me know what other steps I need to take to complete the process -- my daughter and I send you our deepest gratitude!

#4 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 04 January 2006 - 07:31 PM

Step#1:Restore Deleted System Files

Now we need to see if we need to restore some deleted files:Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If any are missing or not working properly then you can download new copies from
Merijn's Files and following the instructions at that site to have them where they belong for your OS.

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:Download CCleaner

Download Ccleaner to clean temp files from your computer.
Double click on Ccleaner to install the program, with its default settings, selecting language and agreeing to the license agreement.
Double click the CCleaner shortcut on the desktop to start the program.
Click Options > Advanced and uncheck "Only delete files in Windows Temp folders older than 48 hours".

Step#3:Complete An Online AntiVirus Scan

Run an online antivirus scan at:

Trend Micro-Housecall Online AV

Reboot

Step#4:Find the Infected Files On Your Hard Drive
[list]
Navigate to C:\Windows
look for files that were created at the approximate time and date as the infection occurred.
look for those that end in exe, DAT and DLL and if found, right click on the file and check properties. Legitimate files should be copyrighted by Microsoft
if you determine they are bad files, right click on them and choose delete
Navigate to C:\Windows\System or C:\Windows\System32 (depending on the OS) and repeat each of the above steps to check for those ending in exe, DAT and/or DLL
if the above files will not delete, then make a new folder on your desktop by right clicking on the desktop and choosing New > Folder. Name the folder CWS Files.
Move the files from C:\Windows or C:\Windows\System or C:\Windows\system32
to the new folder CWS Files.

Step#5:Using your Windows CD to replace System Files

** In cases where many system files are missing you have no alternative but to have them insert their Windows OS disk and run sfc /scannow from the Run box if able or from Recovery Console if not able to get into windows[/b]

Step#6:Scan And Post a New HijackThis Log

1. Scan again with HijackThis

2. POST your log file using Add Reply to see what is left to fix.

#5 seren1

New Member

New Member
6 posts

Posted 04 January 2006 - 08:05 PM

Siggyx, I just realized I have no operating system disk for my kid's computer (we bought it used from a local computer guy a few months ago - we live in the country), and my own computer runs media center edition. I've just called our local computer guy, and he'll have a disk for me tomorrow. Should I wait to do this next part until I have the disk, or can I perform any of it up to a point. I know, it sounds like I'm trying to disarm a bomb or something...but with my experience, that's EXACTLY how it feels! again, my sincere thanks

#6 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 04 January 2006 - 08:28 PM

Do what you can at this point. Run the scans and see if those files are missing then you can also post a new hijackthis log. Your doing a great job the worst infection is gone and basically we are in clean up mode

#7 seren1

New Member

New Member
6 posts

Posted 05 January 2006 - 02:48 PM

Here is my latest HijackThis log, after following the steps you outlined
Notes: I could not replace the SDHelper.dll file (it kept saying that the file was in use) and because I thought that may be fishy, did not do the Start>Run>regsvr32 thing. Also, all the files you listed seemed to be there, and I did not find any that looked suspicious in my windows or system 32 folders.:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:33 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I guess I'm ready for the next step, if there is one. I haven't noticed any popups or bizarre behaviour...and thanks for the encouragement!

Edited by seren1, 05 January 2006 - 02:51 PM.

#8 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 05 January 2006 - 04:53 PM

Looks good

Running ok?

Lets do some cleaning.

Download ccleaner from the link below, save it to your desktop. Open ccleaner and click on run ccleaner at the bottom right.

http://www.majorgeek...wnload4191.html

Next download Regseeker from the link below. Save it to your destop. Open Regseeker and click on clean registry, next click ok. Once the scan is complete make sure the make backups is checked and then select all and delete it.

http://www.majorgeek...wnload2579.html

Next

System restore is a great function in XP but it can hold old infections and viruses that would be re-installed if used. Do make sure that this does not happen we need to clean out the restore points. Do do this we need to turn restore off and then back on.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Reboot.

Then a new log to be sure.

#9 seren1

New Member

New Member
6 posts

Posted 05 January 2006 - 06:28 PM

Alright, here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:41 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I don't know if there's yet more to do, but I just wanted to say that I am most impressed at the service you've provided me (and have already mentioned your site to our local computer reseller). Your help has definitely been way above my expectations, and for that a donation is most certainly in order!

#10 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 05 January 2006 - 07:06 PM

Looks fine. You can have hijackthis delete these 2 lines that are leftovers. I assume everything is running ok.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. In my signature below is also a tutorial on how to harden IE, a good read and very helpful to stop these things in the future. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on.

Safe Surfing.

#11 seren1

New Member

New Member
6 posts

Posted 05 January 2006 - 09:00 PM

All done! Thanks ever so much, and I will take your recommendations into practice. The computer now seems to be running fine, and with the new browser and a few more guards in place, I'm sure my daughter will be surfing much safer. I like the idea of adding a program that places a lot of these bad sites in a 'restricted zone'. In a perfect world, parents would be able to let their children freely explore their interests on the computer without fear -- much the same way that my own parents let me bury myself in books and encyclopedias when I was young. I hope you know that the work you're doing has real importance. My thanks again -- great site, great service!

#12 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 05 January 2006 - 10:03 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Body Background

skin color theme