WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

been hijacked and can't fix

Started by gray_wolf2000 , Jan 19 2006 11:47 PM

Please log in to reply

10 replies to this topic

#1 gray_wolf2000

New Member

New Member
5 posts

Posted 19 January 2006 - 11:47 PM

I have spent most of the day today looking through a previous thread and thought I had found some answers. Much to my surprise I feel like I am back at square one. I am running XP home with SP2. My home page keeps changing, random popups, port sites on my favorites. I have Norton AV, adware SE, spybot s&d, ewido, registry mechanic. some of which I downloaded when reading another posting and thought it would help.

Here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 11:46:05 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\safe-share\SafeShare.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\crzg.exe
C:\WINDOWS\ieok.exe
C:\Program Files\Safe-Share\Safe-Share.exe
C:\Program Files\Safe-Share\giFT\giFTl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\RYANAD~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nvsre.dll/sp.html#11277%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {80088EDE-230C-ECC2-B8DB-C5A9294FA43C} - C:\WINDOWS\javayx.dll
O2 - BHO: Class - {8D2AB820-4792-EC0B-EEC6-7066F20405E7} - C:\WINDOWS\system32\atlsw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C8EE100B-191A-611C-5766-34F50DE08954} - C:\WINDOWS\addhi32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [373k3ti] dplpui.exe
O4 - HKLM\..\Run: [dfaLc] C:\WINDOWS\gpigpv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [uGwf9lb] C:\WINDOWS\sbmaaci.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mfcdr.exe] C:\WINDOWS\mfcdr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ieaz.exe] C:\WINDOWS\ieaz.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [ieok.exe] C:\WINDOWS\ieok.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IwsqRjGpO] doclt1.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124939905421
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crzg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 FZWG

R.I.P My Friend

Validating
569 posts

Posted 21 January 2006 - 09:41 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

As you suspect, there are malware entries showing on your log.

It is best to have the most current log possible, so please run HijackThis again.

However, before doing so, the current log shows you are running the program from here:
C:\DOCUME~1\RYANAD~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

HijackThis makes backups of what is fixed, and it is best to have the program in its own folder to keep the backups securely. Create a folder like: C:\Program Files\HijackThis, or, if you want to keep it on the Desktop, right click an empty area, select New>Folder, name the folder HijackThis, and place the HijackThis.exe file in it.

Then, run the program from there, and post the log using: Add Reply

I will be notified when you post a new log, and will be glad to assist you.

"June, 2007 Farethee Well"

#3 gray_wolf2000

New Member

New Member
5 posts

Posted 22 January 2006 - 05:02 PM

Thanks for the response FZ. I did move hjt to its own folder on my desktop. I had read that on another post. I must have done it after I ran HJT.

Here is my current log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:51 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\safe-share\SafeShare.exe
C:\WINDOWS\wingq32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\crzg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ryan Adams\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1D2B4801-A011-DCC7-6473-EE9347CFFA75} - C:\WINDOWS\crfo.dll
O2 - BHO: Class - {52E410B3-6827-44A2-CD1F-704D0FF9BEE6} - C:\WINDOWS\crhg32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {5AEAFF23-D02D-6AA4-3228-5C5C2E145971} - C:\WINDOWS\atlyt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {85389C19-9846-3EB7-FED8-ECFDDEB7598A} - C:\WINDOWS\applp.dll
O2 - BHO: Class - {8D2AB820-4792-EC0B-EEC6-7066F20405E7} - C:\WINDOWS\system32\atlsw.dll
O2 - BHO: Class - {9335AF6C-4E0A-3B10-CDF8-6CB83172FED9} - C:\WINDOWS\system32\d3bz.dll
O2 - BHO: Class - {97AE0F1E-7B7E-36A8-38C3-AF261C74234A} - C:\WINDOWS\system32\nethl32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C8EE100B-191A-611C-5766-34F50DE08954} - C:\WINDOWS\addhi32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [373k3ti] dplpui.exe
O4 - HKLM\..\Run: [dfaLc] C:\WINDOWS\gpigpv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [uGwf9lb] C:\WINDOWS\sbmaaci.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mfcdr.exe] C:\WINDOWS\mfcdr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ieaz.exe] C:\WINDOWS\ieaz.exe
O4 - HKLM\..\Run: [ieok.exe] C:\WINDOWS\ieok.exe
O4 - HKLM\..\Run: [addmf32.exe] C:\WINDOWS\addmf32.exe
O4 - HKLM\..\Run: [atlmx32.exe] C:\WINDOWS\atlmx32.exe
O4 - HKLM\..\Run: [netoe.exe] C:\WINDOWS\netoe.exe
O4 - HKLM\..\Run: [apidk.exe] C:\WINDOWS\apidk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iecv32.exe] C:\WINDOWS\iecv32.exe
O4 - HKLM\..\Run: [javazu.exe] C:\WINDOWS\system32\javazu.exe
O4 - HKLM\..\Run: [wingq32.exe] C:\WINDOWS\wingq32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IwsqRjGpO] doclt1.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124939905421
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crzg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thank you for any help you can give.

#4 FZWG

R.I.P My Friend

Validating
569 posts

Posted 23 January 2006 - 09:44 PM

Please copy these instructions to NotePad and save them to the Desktop, or print them,
for later use in Safe Mode. Also, read through once so you have an idea of the procedure.

The log shows Microsoft AntiSpyware ] is running. Since it can interfere with the fixing of problems, temporarily disable as follows:
-Right-click on the Microsoft AntiSpyware tray icon by your clock (red and yellow bulls-eye).
-Click on: Security Agents Status
-Click on: Disable real-time protection

Next, open Microsoft AntiSpyware.

-Click on the Options menu
-Select: Settings
-Select: Real Time Protection from the left column
-Uncheck: Enable (MSAS) Security Agents and Enable real-time spyware threat protection
-Click the Save button

Finally, Right-click on the program tray icon, select: Shutdown Microsoft Antispyware
Select: Yes in the dialogue prompt.

Next, to remove the CoolWebSearch malware, do the following:

Step 1:
Download AboutBuster: http://www.downloads...AboutBuster.zip
-Unzip it to a folder on the Desktop
-Double click the AboutBuster icon
-Click OK to the Read dialogue
-Click the Update button, and then select: Check for Update
Exit from the program, and do not run AboutBuster yet.

Step 2:
Please create a folder on the Desktop (Right click, select New>Folder)
-Name it: Ewido
-Download Ewido Anti-Malware:
http://www.ewido.net/en/download/
-Press: Download Now
-In the folder where Ewido is located, double click the Ewido Setup file
Follow the prompts and reboot when done.
Now, go to Start>All Programs>Ewido
Select: Security Suite
When the program starts, do an online update for the latest signature files
An Update Successful prompt appears when done
Do not click the Scanner button yet.

Step 3:
Next, download CWShredder:
http://cwshredder.ne.../CWShredder.exe
-Create a folder for it, and save the file there
-Double click on the program icon
-Update and download the latest reference files
Do not run the program yet

Step 4:
Download CleanUp40.exe to the Desktop: (about 3/4 down the page: Primary download site (setup program): CleanUp40.exe)
http://www.stevengou...p/download.html
Do not run this program yet.

Step 5:
Download Killbox:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Do not run it yet.

Step 6:
Next, enable the viewing of Hidden Files and Folders as follows:
-At your desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

For this removal procedure to work, make sure you are off line, keep Internet Explorer closed, and perform all the steps that follow.

Step 7:
Click Start>Run and type in: services.msc
-Click OK
-In the Services window find: Network Security Service
-Select/highlight and right click the entry, and choose: Properties
-On the General tab, under Service Status click the Stop button
-Beside: Startup Type, in the drop menu, select: Disabled
-Click Apply, then OK

Step 8:
Now, reboot to Safe Mode:
-Restart your computer
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter to boot into Safe Mode

Step 9:
Run HijackThis and Scan.
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1D2B4801-A011-DCC7-6473-EE9347CFFA75} - C:\WINDOWS\crfo.dll
O2 - BHO: Class - {52E410B3-6827-44A2-CD1F-704D0FF9BEE6} - C:\WINDOWS\crhg32.dll
O2 - BHO: Class - {5AEAFF23-D02D-6AA4-3228-5C5C2E145971} - C:\WINDOWS\atlyt.dll
O2 - BHO: Class - {85389C19-9846-3EB7-FED8-ECFDDEB7598A} - C:\WINDOWS\applp.dll
O2 - BHO: Class - {8D2AB820-4792-EC0B-EEC6-7066F20405E7} - C:\WINDOWS\system32\atlsw.dll
O2 - BHO: Class - {9335AF6C-4E0A-3B10-CDF8-6CB83172FED9} - C:\WINDOWS\system32\d3bz.dll
O2 - BHO: Class - {97AE0F1E-7B7E-36A8-38C3-AF261C74234A} - C:\WINDOWS\system32\nethl32.dll

O4 - HKLM\..\Run: [373k3ti] dplpui.exe
O4 - HKLM\..\Run: [dfaLc] C:\WINDOWS\gpigpv.exe
O4 - HKLM\..\Run: [uGwf9lb] C:\WINDOWS\sbmaaci.exe
O4 - HKLM\..\Run: [mfcdr.exe] C:\WINDOWS\mfcdr.exe
O4 - HKLM\..\Run: [ieaz.exe] C:\WINDOWS\ieaz.exe
O4 - HKLM\..\Run: [ieok.exe] C:\WINDOWS\ieok.exe
O4 - HKLM\..\Run: [addmf32.exe] C:\WINDOWS\addmf32.exe
O4 - HKLM\..\Run: [atlmx32.exe] C:\WINDOWS\atlmx32.exe
O4 - HKLM\..\Run: [netoe.exe] C:\WINDOWS\netoe.exe
O4 - HKLM\..\Run: [apidk.exe] C:\WINDOWS\apidk.exe
O4 - HKLM\..\Run: [iecv32.exe] C:\WINDOWS\iecv32.exe
O4 - HKLM\..\Run: [javazu.exe] C:\WINDOWS\system32\javazu.exe
O4 - HKLM\..\Run: [wingq32.exe] C:\WINDOWS\wingq32.exe
O4 - HKCU\..\Run: [IwsqRjGpO] doclt1.exe

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab

O23 - Service: Network Security Service ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crzg.exe

Now, select: Fix Checked

Step 10:
Back on the Desktop:
-Double click the AboutBuster icon
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Step 11:
Double click the CWShredder icon to run the program
-Next, click on the: ‘Fix’ button
Follow the prompts, and press OK

Step 12:
Double-click the Cleanup! icon to run the program
-Click: Options (right side)
-In the Quick SetUp area, move the arrow to: Custom CleanUp!
-Only check the following:
--Empty Recycle Bin
--Delete Prefetch files
--Scan local drives for temporary files
--Cleanup! All Users
Click: OK
Click the CleanUp button and let the program run.
Close the program when done.

Step 13:
Run Ewido
Click on the Scanner button in the left menu
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if Ewido finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

Step 14:
Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad
(Start > Programs > Accessories > Notepad):

C:\WINDOWS\system32\ruztx.dll
C:\WINDOWS\system32\crzg.exe
C:\WINDOWS\system32\dplpui.exe
C:\WINDOWS\gpigpv.exe
C:\WINDOWS\sbmaaci.exe
C:\WINDOWS\mfcdr.exe
C:\WINDOWS\ieaz.exe
C:\WINDOWS\ieok.exe
C:\WINDOWS\addmf32.exe
C:\WINDOWS\atlmx32.exe
C:\WINDOWS\netoe.exe
C:\WINDOWS\apidk.exe
C:\WINDOWS\iecv32.exe
C:\WINDOWS\system32\javazu.exe
C:\WINDOWS\wingq32.exe
C:\WINDOWS\system32\doclt1.exe

Double-click on Killbox.exe to run it.
At the main screen of KillBox, select the option: Delete on Reboot
Open the Notepad file saved earlier and copy the files to the clipboard
(Highlight all (Ctrl + A) and Copy (Ctrl + C).

In Killbox, go to the File menu, and choose: Paste from Clipboard
Then select: All Files (button)
Now, press the button with a red circle and a white X (Delete File button)
KillBox will alert you the files will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Step 15:
Last, run HijackThis and Scan. Save its log.

Please post the following:
The About Buster log from Step 10
The EWIDO report from step 13
A new HijackThis log from step 15

"June, 2007 Farethee Well"

#5 gray_wolf2000

New Member

New Member
5 posts

Posted 25 January 2006 - 12:49 AM

Heres the summary:
-dissabled Microsoft AntiSpyware per instructions. no problems
-downloaded software to folders on desktop in steps 1-5
DID ACCIDENTALLY START ABOUTBUSTER AND ABORTED.COULD ACCOUND FOR SOME MISSING FILES IN FUTURE STEPS.
-step 6 and 7completed
- REBOOTED IN SAFE MODE
-in step 9 these files were not present to check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\ruztx.dll/sp.html#11277%resultposition.net

O23 - Service: Network Security Service ( 11Fßä #·ºÄÖ`I) - Unknown
owner - C:\WINDOWS\system32\crzg.exe

-completed steps 10 - 13
- PROBLEM WITH STEP 14
copied files as suggested. when pasting from clip board nothing is placed in the destination box. when rt clicking into the box only allows for one file to be input. had all files checked. was not able to have all files in box. need to know if i need to go back and do each file individually or not.

STEP 10 LOG:
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was ABORTED at 9:50:17 PM

AboutBuster 6.0
Scan started on [1/24/2006] at [10:54:21 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\DtcInstall.log:sigip
Removed Stream! C:\WINDOWS\stub32.ini:ffuumy
Removed Stream! C:\WINDOWS\stub35.ini:xgnhoi
Removed Stream! C:\WINDOWS\_default.pif:bgmgp
-------------------------------------------------------------
Removed File! : C:\WINDOWS\netnw.exe
Removed File! : C:\WINDOWS\syscy32.exe
Removed File! : C:\WINDOWS\sysdo.exe
Removed File! : C:\WINDOWS\sysfq32.exe
Removed File! : C:\WINDOWS\syskl32.exe
Removed File! : C:\WINDOWS\sysqn32.exe
Removed File! : C:\WINDOWS\syszd32.exe
Removed File! : C:\WINDOWS\winbg32.exe
Removed File! : C:\WINDOWS\winjl32.exe
Removed File! : C:\WINDOWS\winmx.exe
Removed File! : C:\WINDOWS\winnz.exe
Removed File! : C:\WINDOWS\winyl32.exe
Removed File! : C:\WINDOWS\winyy32.exe
Removed File! : C:\WINDOWS\wzgbw.dll
Removed File! : C:\WINDOWS\xpqzk.log
Removed File! : C:\WINDOWS\system32\addap.exe
Removed File! : C:\WINDOWS\system32\addnc.exe
Removed File! : C:\WINDOWS\system32\addsi.exe
Removed File! : C:\WINDOWS\system32\apibu32.exe
Removed File! : C:\WINDOWS\system32\apign.exe
Removed File! : C:\WINDOWS\system32\apikt.exe
Removed File! : C:\WINDOWS\system32\apixl32.exe
Removed File! : C:\WINDOWS\system32\apixt32.exe
Removed File! : C:\WINDOWS\system32\apiyv32.exe
Removed File! : C:\WINDOWS\system32\appas.exe
Removed File! : C:\WINDOWS\system32\appdi.exe
Removed File! : C:\WINDOWS\system32\appen32.exe
Removed File! : C:\WINDOWS\system32\appfw.exe
Removed File! : C:\WINDOWS\system32\apphf.exe
Removed File! : C:\WINDOWS\system32\apphm32.exe
Removed File! : C:\WINDOWS\system32\appix.exe
Removed File! : C:\WINDOWS\system32\appjf.exe
Removed File! : C:\WINDOWS\system32\applq32.exe
Removed File! : C:\WINDOWS\system32\appqm32.exe
Removed File! : C:\WINDOWS\system32\appuv.exe
Removed File! : C:\WINDOWS\system32\appvi.exe
Removed File! : C:\WINDOWS\system32\atlef32.exe
Removed File! : C:\WINDOWS\system32\atljv.exe
Removed File! : C:\WINDOWS\system32\atlkg32.exe
Removed File! : C:\WINDOWS\system32\atlpr.exe
Removed File! : C:\WINDOWS\system32\atlsc32.exe
Removed File! : C:\WINDOWS\system32\atlzk32.exe
Removed File! : C:\WINDOWS\system32\atlzl.exe
Removed File! : C:\WINDOWS\system32\bgbpt.txt
Removed File! : C:\WINDOWS\system32\crea32.exe
Removed File! : C:\WINDOWS\system32\crmr.exe
Removed File! : C:\WINDOWS\system32\crqu32.exe
Removed File! : C:\WINDOWS\system32\crst.exe
Removed File! : C:\WINDOWS\system32\crtw32.exe
Removed File! : C:\WINDOWS\system32\cryp.exe
Removed File! : C:\WINDOWS\system32\crzg.exe
Removed File! : C:\WINDOWS\system32\d3kd32.exe
Removed File! : C:\WINDOWS\system32\d3lb.exe
Removed File! : C:\WINDOWS\system32\ewmnj.dat
Removed File! : C:\WINDOWS\system32\fdnzq.dat
Removed File! : C:\WINDOWS\system32\glnmv.dat
Removed File! : C:\WINDOWS\system32\gqapb.txt
Removed File! : C:\WINDOWS\system32\hcweo.dll
Removed File! : C:\WINDOWS\system32\ieaj32.exe
Removed File! : C:\WINDOWS\system32\ieao.exe
Removed File! : C:\WINDOWS\system32\iedj32.exe
Removed File! : C:\WINDOWS\system32\iefn.exe
Removed File! : C:\WINDOWS\system32\iehp32.exe
Removed File! : C:\WINDOWS\system32\iehr32.exe
Removed File! : C:\WINDOWS\system32\iejd.exe
Removed File! : C:\WINDOWS\system32\iekq.exe
Removed File! : C:\WINDOWS\system32\ielo.exe
Removed File! : C:\WINDOWS\system32\iepr.exe
Removed File! : C:\WINDOWS\system32\ieqx.exe
Removed File! : C:\WINDOWS\system32\ieth32.exe
Removed File! : C:\WINDOWS\system32\ieum32.exe
Removed File! : C:\WINDOWS\system32\iexy32.exe
Removed File! : C:\WINDOWS\system32\ipcs32.exe
Removed File! : C:\WINDOWS\system32\ipfo.exe
Removed File! : C:\WINDOWS\system32\ipmq32.exe
Removed File! : C:\WINDOWS\system32\ipnr32.exe
Removed File! : C:\WINDOWS\system32\ippx.exe
Removed File! : C:\WINDOWS\system32\ipvd.exe
Removed File! : C:\WINDOWS\system32\ipzp.exe
Removed File! : C:\WINDOWS\system32\javagj32.exe
Removed File! : C:\WINDOWS\system32\javahv32.exe
Removed File! : C:\WINDOWS\system32\javahx32.exe
Removed File! : C:\WINDOWS\system32\javane.exe
Removed File! : C:\WINDOWS\system32\javaxx32.exe
Removed File! : C:\WINDOWS\system32\javayx32.exe
Removed File! : C:\WINDOWS\system32\ltxhx.dat
Removed File! : C:\WINDOWS\system32\mfcej32.exe
Removed File! : C:\WINDOWS\system32\mfcfw32.exe
Removed File! : C:\WINDOWS\system32\mfcqx32.exe
Removed File! : C:\WINDOWS\system32\mfcsy.exe
Removed File! : C:\WINDOWS\system32\mfctm32.exe
Removed File! : C:\WINDOWS\system32\mfcxp.exe
Removed File! : C:\WINDOWS\system32\mfczs.exe
Removed File! : C:\WINDOWS\system32\mfczv32.exe
Removed File! : C:\WINDOWS\system32\msal32.exe
Removed File! : C:\WINDOWS\system32\mscs.exe
Removed File! : C:\WINDOWS\system32\mseh32.exe
Removed File! : C:\WINDOWS\system32\mssk32.exe
Removed File! : C:\WINDOWS\system32\msvv.exe
Removed File! : C:\WINDOWS\system32\msyo.exe
Removed File! : C:\WINDOWS\system32\netlf.exe
Removed File! : C:\WINDOWS\system32\ngygq.dll
Removed File! : C:\WINDOWS\system32\ntjy32.exe
Removed File! : C:\WINDOWS\system32\ntma32.exe
Removed File! : C:\WINDOWS\system32\ntmr32.exe
Removed File! : C:\WINDOWS\system32\ntps32.exe
Removed File! : C:\WINDOWS\system32\olmaz.dll
Removed File! : C:\WINDOWS\system32\qodcb.log
Removed File! : C:\WINDOWS\system32\sdkfv.exe
Removed File! : C:\WINDOWS\system32\sdkia.exe
Removed File! : C:\WINDOWS\system32\sdkvs32.exe
Removed File! : C:\WINDOWS\system32\sdkwa.exe
Removed File! : C:\WINDOWS\system32\sysbp.exe
Removed File! : C:\WINDOWS\system32\sysdf32.exe
Removed File! : C:\WINDOWS\system32\sysee.exe
Removed File! : C:\WINDOWS\system32\syshu32.exe
Removed File! : C:\WINDOWS\system32\vftsn.log
Removed File! : C:\WINDOWS\system32\winbl32.exe
Removed File! : C:\WINDOWS\system32\wincx32.exe
Removed File! : C:\WINDOWS\system32\winsz.exe
Removed File! : C:\WINDOWS\system32\winuf.exe
Removed File! : C:\WINDOWS\system32\winxo.exe
Removed File! : C:\WINDOWS\system32\wjndy.dat
Removed File! : C:\WINDOWS\system32\wjngt.dat
Removed File! : C:\WINDOWS\system32\wmaat.dat
Removed File! : C:\WINDOWS\system32\ycccu.dat
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:58:57 PM

STEP 13 LOG:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:04:02 AM, 1/25/2006
+ Report-Checksum: 8FACB3EC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{029DB004-6BCD-0E73-3AEA-F205B565F0F8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0ADD4D53-B7DD-20F8-2AC9-AB9CB538A46F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2621D1BF-0A92-2D9C-E595-02A9C3F76F46} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5B7E5C2F-7668-51A3-BA8C-F6B376755AF9} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{63DCBFC8-9F1C-3DA5-A957-E5BCF32589B1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{818D123D-B7CF-1169-DD32-2310AD262479} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A97B64CA-35C4-DD86-2890-054EE94CE844} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C174CC42-7291-0DCA-CE42-7DB1C655AADD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C2FE095E-5BA7-FBC8-5387-2878C932A44F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFC71F6E-8006-6787-AAD0-B50964B31181} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFF18EAC-64BF-91FF-8F1B-42B57350D99F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F065E398-2ACB-9034-8B2A-28A827FF521F} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1229272821-1292428093-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97AE0F1E-7B7E-36A8-38C3-AF261C74234A} -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Ryan Adams\Application Data\Mozilla\Firefox\Profiles\1zb3bvln.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Desktop\HJT\backups\backup-20060124-225314-136.dll -> Downloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Desktop\HJT\backups\backup-20060124-225314-275.dll -> Downloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Ryan Adams\Desktop\HJT\backups\backup-20060124-225314-988.dll -> Downloader.Agent.bc : Cleaned with backup

::Report End

STEP 15, new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:28:40 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\safe-share\SafeShare.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ryan Adams\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C7063EDD-A232-E7DB-ECDC-E4249B594117} - C:\WINDOWS\mfcsb.dll (file missing)
O2 - BHO: Class - {C8EE100B-191A-611C-5766-34F50DE08954} - C:\WINDOWS\addhi32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [apiqd.exe] C:\WINDOWS\apiqd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124939905421
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

This complets all steps you have requested. Please advise on further steps.

#6 FZWG

R.I.P My Friend

Validating
569 posts

Posted 25 January 2006 - 09:03 PM

Good job!! Much better.

Let’s make sure all is gone…

Please download AdAware SE from the following link:
http://www.majorgeek...ownload506.html
-Use the: Check for Updates Now option and download the latest reference files
Do not run the rest of the program yet.

Download Spybot Search and Destroy::
http://www.majorgeek...wnload2471.html
-After installing the program, click on: Search for Updates
Do not run the rest of the program yet.

Run HijackThis, and Scan
Check box for:

O2 - BHO: Class - {C7063EDD-A232-E7DB-ECDC-E4249B594117} - C:\WINDOWS\mfcsb.dll (file missing)
O2 - BHO: Class - {C8EE100B-191A-611C-5766-34F50DE08954} - C:\WINDOWS\addhi32.dll (file missing)

O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [apiqd.exe] C:\WINDOWS\apiqd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinlsap.exe

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab

Select: Fix Checked

Now, reboot to Safe Mode:

Search for and remove the following folder (bold):
C:\Program Files\safe-share

Search for and remove the following files (bold):
C:\WINDOWS\apiqd.exe
C:\WINDOWS\system32\swinlsap.exe

Now, run AdAware SE
-Use the Start button, and on the next window, select: Perform Full System Scan
-Uncheck: Search for negligible risk entries.
-Press Next, and let Ad-aware scan the hard drive
-When finished, right-click the window with the entries, choose: Select All from the menu, and click Next.
-Once AdAware has removed the entries, close the program

Lets put Spybot Search and Destroy to work.
Select: Check for Problems
Have Spybot remove all the items in RED by clicking on the button labeled: Fix Selected Problems

Reboot after Spybot is done.

Run a Panda online ActiveScan
http://www.pandasoft.../activescan.htm

On the top right go to: Free Use ActiveScan
Select: Free online virus scan

In the prompt that appears: Panda ActiveScan, select the green button: Check Now! At no cost.

Follow the prompts, provide the required info, select: Scan Now!
Allow the ActiveX download.

Select a device to scan: Local Disks

When done, select: See Report
Then select, Save Report and save to a location where you can find the report.

Please provide the ActiveScan report and a new HijackThis log in your response.

"June, 2007 Farethee Well"

#7 gray_wolf2000

New Member

New Member
5 posts

Posted 25 January 2006 - 09:25 PM

There is a problem with this request Search for and remove the following folder (bold): C:\Program Files\safe-share safeshare is a download service i subscribe to and do not wish to delete. Is it ok to reinstall once removed. it is an open source if it needs to be fixed. i will finish with the other requests. I already have ad aware and spybot s&d on my system.

#8 FZWG

R.I.P My Friend

Validating
569 posts

Posted 25 January 2006 - 09:36 PM

Will look for some file-swappers that do not to have any spyware or other advertising parasites bundled into them, after you reply.

"June, 2007 Farethee Well"

#9 gray_wolf2000

New Member

New Member
5 posts

Posted 25 January 2006 - 11:50 PM

I didn't delete safe share becasue i have paid for it.

here is the active scan log:

Incident Status Location

Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Ryan Adams\Cookies\ryan adams@banner[2].txt
Hacktool:Hacktool/PatchTCPSP2 Not disinfected C:\Documents and Settings\Ryan Adams\Desktop\Virus Fixes\SP2_Patch.exe
Adware:Adware/StartPage.VG Not disinfected C:\Documents and Settings\Ryan Adams\Desktop\Virus Fixes\Symantec - Norton internet security 2005 full version %252b keygen .exe[Norton SystemWorks 2005_KeyGen.exe]
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
HERE IS THE HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:14 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ryan Adams\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124939905421
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

untill next time

#10 FZWG

R.I.P My Friend

Validating
569 posts

Posted 27 January 2006 - 10:12 PM

Search for and remove the following file:
C:\WINDOWS\kwv2.dat

Best to do so in Safe Mode.

If you are not having malware problems, you are good to go!

Make sure the viewing of Hidden Files and Folders enabled earlier, is back to its normal settings.
Go back to it and use: Restore Default

Some suggestions to remain malware free:
Tony Klein’s article 'How Did I Get Infected In The First Place'
http://www.wildersse...ead.php?t=27971
Take a look at what the article has to offer and select the programs that suit your needs.

Also, the following is an excellent programs that you may want to run on a regular basis:

Microsoft AntiSpyware:
http://www.microsoft...re/default.mspx

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...

Good luck!!

"June, 2007 Farethee Well"

#11 FZWG

R.I.P My Friend

Validating
569 posts

Posted 20 April 2006 - 08:47 PM

Solved

"June, 2007 Farethee Well"

Body Background

skin color theme