8 replies to this topic

[hrdwds]

Logfile of HijackThis v1.99.1
Scan saved at 7:07:41 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\sdkrw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {85D986BB-4D6A-6317-9CAF-CBB30CF19DD6} - C:\WINNT\system32\atlpv32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FED02AA2-9793-F483-33AE-16800DBD3485} - C:\WINNT\netij.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] .C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] .C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] .SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] ."C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkrw32.exe] C:\WINNT\sdkrw32.exe
O4 - HKLM\..\Run: [sdkal32.exe] C:\WINNT\system32\sdkal32.exe
O4 - HKLM\..\Run: [ntov32.exe] C:\WINNT\ntov32.exe
O4 - HKLM\..\RunOnce: [sdktx32.exe] C:\WINNT\system32\sdktx32.exe
O4 - HKLM\..\RunOnce: [atleq.exe] C:\WINNT\system32\atleq.exe
O4 - HKLM\..\RunOnce: [ipiy.exe] C:\WINNT\system32\ipiy.exe
O4 - HKLM\..\RunOnce: [msoa32.exe] C:\WINNT\msoa32.exe
O4 - HKLM\..\RunOnce: [ntse32.exe] C:\WINNT\ntse32.exe
O4 - HKLM\..\RunOnce: [netqz32.exe] C:\WINNT\netqz32.exe
O4 - HKLM\..\RunOnce: [winwu.exe] C:\WINNT\system32\winwu.exe
O4 - HKLM\..\RunOnce: [ntqf.exe] C:\WINNT\system32\ntqf.exe
O4 - HKLM\..\RunOnce: [atlvh32.exe] C:\WINNT\atlvh32.exe
O4 - HKLM\..\RunOnce: [javakw.exe] C:\WINNT\javakw.exe
O4 - HKLM\..\RunOnce: [msux.exe] C:\WINNT\system32\msux.exe
O4 - HKLM\..\RunOnce: [ntzr32.exe] C:\WINNT\ntzr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [60-2-1-46] c:\program files\Webdialer\60-2-1-46.exe -m
O4 - HKCU\..\Run: [5-6-5-9] c:\program files\Webdialer\5-6-5-9.exe -m
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchan...ectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchan...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchan...ol/IRCSharc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11F??#????`I) - Unknown owner - C:\WINNT\system32\sdktx32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[LoPhatPhuud]

1. Download AboutBuster here:
http://www.malwareby...AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sjpqc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {85D986BB-4D6A-6317-9CAF-CBB30CF19DD6} - C:\WINNT\system32\atlpv32.dll
O2 - BHO: Class - {FED02AA2-9793-F483-33AE-16800DBD3485} - C:\WINNT\netij.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sdkrw32.exe] C:\WINNT\sdkrw32.exe
O4 - HKLM\..\Run: [sdkal32.exe] C:\WINNT\system32\sdkal32.exe
O4 - HKLM\..\Run: [ntov32.exe] C:\WINNT\ntov32.exe
O4 - HKLM\..\RunOnce: [sdktx32.exe] C:\WINNT\system32\sdktx32.exe
O4 - HKLM\..\RunOnce: [atleq.exe] C:\WINNT\system32\atleq.exe
O4 - HKLM\..\RunOnce: [ipiy.exe] C:\WINNT\system32\ipiy.exe
O4 - HKLM\..\RunOnce: [msoa32.exe] C:\WINNT\msoa32.exe
O4 - HKLM\..\RunOnce: [ntse32.exe] C:\WINNT\ntse32.exe
O4 - HKLM\..\RunOnce: [netqz32.exe] C:\WINNT\netqz32.exe
O4 - HKLM\..\RunOnce: [winwu.exe] C:\WINNT\system32\winwu.exe
O4 - HKLM\..\RunOnce: [ntqf.exe] C:\WINNT\system32\ntqf.exe
O4 - HKLM\..\RunOnce: [atlvh32.exe] C:\WINNT\atlvh32.exe
O4 - HKLM\..\RunOnce: [javakw.exe] C:\WINNT\javakw.exe
O4 - HKLM\..\RunOnce: [msux.exe] C:\WINNT\system32\msux.exe
O4 - HKLM\..\RunOnce: [ntzr32.exe] C:\WINNT\ntzr32.exe
O4 - HKCU\..\Run: [60-2-1-46] c:\program files\Webdialer\60-2-1-46.exe -m
O4 - HKCU\..\Run: [5-6-5-9] c:\program files\Webdialer\5-6-5-9.exe -m

O23 - Service: Network Security Service (NSS) ( 11F??#????`I) - Unknown owner - C:\WINNT\system32\sdktx32.exe" /s (file missing)

Delete the following files/folders:
C:\WINNT\sdkrw32.exe
C:\WINNT\system32\sjpqc.dll
C:\WINNT\system32\atlpv32.dll
C:\WINNT\netij.dll
C:\WINNT\system32\sdktx32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ <-- delete entire folder
C:\WINNT\system32\sdkal32.exe
C:\WINNT\ntov32.exe
C:\WINNT\system32\atleq.exe
C:\WINNT\system32\ipiy.exe
C:\WINNT\msoa32.exe
C:\WINNT\ntse32.exe
C:\WINNT\netqz32.exe
C:\WINNT\system32\winwu.exe
C:\WINNT\system32\ntqf.exe
C:\WINNT\atlvh32.exe
C:\WINNT\javakw.exe
C:\WINNT\system32\msux.exe
C:\WINNT\ntzr32.exe
c:\program files\Webdialer\ <-- delete entire folder



7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.c...n/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review

[hrdwds]

Logfile of HijackThis v1.99.1
Scan saved at 8:03:08 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\appma32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINNT\mfcmu.exe
C:\WINNT\system32\sdkye.exe
C:\WINNT\mfcmu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5A3F2321-6D27-105E-27CD-C0C38D626EDD} - C:\WINNT\addvv32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {EE8A6A74-1A15-9D6E-7A99-72AC8CDEC063} - C:\WINNT\system32\windv32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] .C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] .C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] .SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] ."C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkrw32.exe] C:\WINNT\sdkrw32.exe
O4 - HKLM\..\Run: [sdkal32.exe] C:\WINNT\system32\sdkal32.exe
O4 - HKLM\..\Run: [ntov32.exe] C:\WINNT\ntov32.exe
O4 - HKLM\..\Run: [appma32.exe] C:\WINNT\appma32.exe
O4 - HKLM\..\RunOnce: [mfcmu.exe] C:\WINNT\mfcmu.exe
O4 - HKLM\..\RunOnce: [atlkh.exe] C:\WINNT\system32\atlkh.exe
O4 - HKLM\..\RunOnce: [ntgq32.exe] C:\WINNT\system32\ntgq32.exe
O4 - HKLM\..\RunOnce: [addth.exe] C:\WINNT\system32\addth.exe
O4 - HKLM\..\RunOnce: [javazl32.exe] C:\WINNT\system32\javazl32.exe
O4 - HKLM\..\RunOnce: [addaj32.exe] C:\WINNT\addaj32.exe
O4 - HKLM\..\RunOnce: [ntfp32.exe] C:\WINNT\system32\ntfp32.exe
O4 - HKLM\..\RunOnce: [appkl32.exe] C:\WINNT\appkl32.exe
O4 - HKLM\..\RunOnce: [appga32.exe] C:\WINNT\appga32.exe
O4 - HKLM\..\RunOnce: [ipqw32.exe] C:\WINNT\system32\ipqw32.exe
O4 - HKLM\..\RunOnce: [sdkff.exe] C:\WINNT\system32\sdkff.exe
O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINNT\system32\winod32.exe
O4 - HKLM\..\RunOnce: [iegj32.exe] C:\WINNT\system32\iegj32.exe
O4 - HKLM\..\RunOnce: [iprf32.exe] C:\WINNT\iprf32.exe
O4 - HKLM\..\RunOnce: [d3bd32.exe] C:\WINNT\system32\d3bd32.exe
O4 - HKLM\..\RunOnce: [mfcst32.exe] C:\WINNT\mfcst32.exe
O4 - HKLM\..\RunOnce: [mfcyq.exe] C:\WINNT\mfcyq.exe
O4 - HKLM\..\RunOnce: [mfcmf.exe] C:\WINNT\mfcmf.exe
O4 - HKLM\..\RunOnce: [apimt32.exe] C:\WINNT\apimt32.exe
O4 - HKLM\..\RunOnce: [ntzx32.exe] C:\WINNT\system32\ntzx32.exe
O4 - HKLM\..\RunOnce: [addzf.exe] C:\WINNT\addzf.exe
O4 - HKLM\..\RunOnce: [ntil32.exe] C:\WINNT\ntil32.exe
O4 - HKLM\..\RunOnce: [sysmb.exe] C:\WINNT\system32\sysmb.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINNT\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [sdkup32.exe] C:\WINNT\sdkup32.exe
O4 - HKLM\..\RunOnce: [ippa.exe] C:\WINNT\ippa.exe
O4 - HKLM\..\RunOnce: [sysgp.exe] C:\WINNT\sysgp.exe
O4 - HKLM\..\RunOnce: [mshp.exe] C:\WINNT\mshp.exe
O4 - HKLM\..\RunOnce: [atlem32.exe] C:\WINNT\system32\atlem32.exe
O4 - HKLM\..\RunOnce: [d3rd.exe] C:\WINNT\system32\d3rd.exe
O4 - HKLM\..\RunOnce: [ipen.exe] C:\WINNT\system32\ipen.exe
O4 - HKLM\..\RunOnce: [netfn.exe] C:\WINNT\netfn.exe
O4 - HKLM\..\RunOnce: [msot32.exe] C:\WINNT\msot32.exe
O4 - HKLM\..\RunOnce: [ntto32.exe] C:\WINNT\ntto32.exe
O4 - HKLM\..\RunOnce: [sdkmj.exe] C:\WINNT\system32\sdkmj.exe
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINNT\system32\mfcrd32.exe
O4 - HKLM\..\RunOnce: [crlo32.exe] C:\WINNT\crlo32.exe
O4 - HKLM\..\RunOnce: [atlar32.exe] C:\WINNT\atlar32.exe
O4 - HKLM\..\RunOnce: [addvv32.exe] C:\WINNT\addvv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchan...ectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchan...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchan...ol/IRCSharc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F??#????`I) - Unknown owner - C:\WINNT\mfcmu.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [8:08:29 AM]
------------------------------------------------
Removed Stream! C:\WINNT\auisk.log:buklw
Removed Stream! C:\WINNT\Blue Lace 16.bmp:zearq
Removed Stream! C:\WINNT\KB823182.log:zlkvv
Removed Stream! C:\WINNT\KB842773.log:qlwzj
Removed Stream! C:\WINNT\KB893066.log:mhmgz
Removed Stream! C:\WINNT\KB893803v2.log:twume
Removed Stream! C:\WINNT\oavzf.txt:bzduq
Removed Stream! C:\WINNT\ODBC.INI:qzjdf
Removed Stream! C:\WINNT\Q815021.log:tpphk
Removed Stream! C:\WINNT\updspapi.log:gowcb
Removed Stream! C:\WINNT\Windows Update.log:xafzh
Removed Stream! C:\WINNT\_default.pif:agqux
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:08:49 AM

[Mosaic1]

hrdwds,

You started a new topic to reply to this one. I have merged that new topic with the original. Please work here until your problem has been resolved. Do not start a new topic in order to reply.

Thank you,

Mosaic1

[LoPhatPhuud]

You certainly have an extremely infected system. I am going to take an extra step in an attempt to eliminate most of this junk.


First:
Please download, install, the Ewido Security Suite:
http://www.ewido.net/en/download/

Update the definitions, but do not run it yet.
Reboot into Safe Mode, then run Ewido and remove all it finds.

Post the log file it generates in this thread.


Second:
From the Desktop
Start -> Run -> services.msc (press 'Enter')
Scroll down the list of services to find Remote Procedure Call
Double click on it
Under Service Status, press 'Stop' button (if not greyed out)
Under Service Type, using pulldown menu, select 'Disabled'
Press 'OK'
Exit


Third:
1. Download AboutBuster here:
http://www.malwareby...AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {5A3F2321-6D27-105E-27CD-C0C38D626EDD} - C:\WINNT\addvv32.dll
O2 - BHO: Class - {EE8A6A74-1A15-9D6E-7A99-72AC8CDEC063} - C:\WINNT\system32\windv32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkrw32.exe] C:\WINNT\sdkrw32.exe
O4 - HKLM\..\Run: [sdkal32.exe] C:\WINNT\system32\sdkal32.exe
O4 - HKLM\..\Run: [ntov32.exe] C:\WINNT\ntov32.exe
O4 - HKLM\..\Run: [appma32.exe] C:\WINNT\appma32.exe
O4 - HKLM\..\RunOnce: [mfcmu.exe] C:\WINNT\mfcmu.exe
O4 - HKLM\..\RunOnce: [atlkh.exe] C:\WINNT\system32\atlkh.exe
O4 - HKLM\..\RunOnce: [ntgq32.exe] C:\WINNT\system32\ntgq32.exe
O4 - HKLM\..\RunOnce: [addth.exe] C:\WINNT\system32\addth.exe
O4 - HKLM\..\RunOnce: [javazl32.exe] C:\WINNT\system32\javazl32.exe
O4 - HKLM\..\RunOnce: [addaj32.exe] C:\WINNT\addaj32.exe
O4 - HKLM\..\RunOnce: [ntfp32.exe] C:\WINNT\system32\ntfp32.exe
O4 - HKLM\..\RunOnce: [appkl32.exe] C:\WINNT\appkl32.exe
O4 - HKLM\..\RunOnce: [appga32.exe] C:\WINNT\appga32.exe
O4 - HKLM\..\RunOnce: [ipqw32.exe] C:\WINNT\system32\ipqw32.exe
O4 - HKLM\..\RunOnce: [sdkff.exe] C:\WINNT\system32\sdkff.exe
O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINNT\system32\winod32.exe
O4 - HKLM\..\RunOnce: [iegj32.exe] C:\WINNT\system32\iegj32.exe
O4 - HKLM\..\RunOnce: [iprf32.exe] C:\WINNT\iprf32.exe
O4 - HKLM\..\RunOnce: [d3bd32.exe] C:\WINNT\system32\d3bd32.exe
O4 - HKLM\..\RunOnce: [mfcst32.exe] C:\WINNT\mfcst32.exe
O4 - HKLM\..\RunOnce: [mfcyq.exe] C:\WINNT\mfcyq.exe
O4 - HKLM\..\RunOnce: [mfcmf.exe] C:\WINNT\mfcmf.exe
O4 - HKLM\..\RunOnce: [apimt32.exe] C:\WINNT\apimt32.exe
O4 - HKLM\..\RunOnce: [ntzx32.exe] C:\WINNT\system32\ntzx32.exe
O4 - HKLM\..\RunOnce: [addzf.exe] C:\WINNT\addzf.exe
O4 - HKLM\..\RunOnce: [ntil32.exe] C:\WINNT\ntil32.exe
O4 - HKLM\..\RunOnce: [sysmb.exe] C:\WINNT\system32\sysmb.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINNT\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [sdkup32.exe] C:\WINNT\sdkup32.exe
O4 - HKLM\..\RunOnce: [ippa.exe] C:\WINNT\ippa.exe
O4 - HKLM\..\RunOnce: [sysgp.exe] C:\WINNT\sysgp.exe
O4 - HKLM\..\RunOnce: [mshp.exe] C:\WINNT\mshp.exe
O4 - HKLM\..\RunOnce: [atlem32.exe] C:\WINNT\system32\atlem32.exe
O4 - HKLM\..\RunOnce: [d3rd.exe] C:\WINNT\system32\d3rd.exe
O4 - HKLM\..\RunOnce: [ipen.exe] C:\WINNT\system32\ipen.exe
O4 - HKLM\..\RunOnce: [netfn.exe] C:\WINNT\netfn.exe
O4 - HKLM\..\RunOnce: [msot32.exe] C:\WINNT\msot32.exe
O4 - HKLM\..\RunOnce: [ntto32.exe] C:\WINNT\ntto32.exe
O4 - HKLM\..\RunOnce: [sdkmj.exe] C:\WINNT\system32\sdkmj.exe
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINNT\system32\mfcrd32.exe
O4 - HKLM\..\RunOnce: [crlo32.exe] C:\WINNT\crlo32.exe
O4 - HKLM\..\RunOnce: [atlar32.exe] C:\WINNT\atlar32.exe
O4 - HKLM\..\RunOnce: [addvv32.exe] C:\WINNT\addvv32.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F??#????`I) - Unknown owner - C:\WINNT\mfcmu.exe" /s (file missing)


Delete the following files/folders:
(Note: If successful, many of these may have been deleted by Ewido)
C:\WINNT\addvv32.dll
C:\WINNT\system32\windv32.dll
C:\WINNT\sdkrw32.exe
C:\WINNT\system32\sdkal32.exe
C:\WINNT\ntov32.exe
C:\WINNT\appma32.exe
C:\WINNT\mfcmu.exe
C:\WINNT\system32\atlkh.exe
C:\WINNT\system32\ntgq32.exe
C:\WINNT\system32\addth.exe
C:\WINNT\system32\javazl32.exe
C:\WINNT\addaj32.exe
C:\WINNT\system32\ntfp32.exe
C:\WINNT\appkl32.exe
C:\WINNT\appga32.exe
C:\WINNT\system32\ipqw32.exe
C:\WINNT\system32\sdkff.exe
C:\WINNT\system32\winod32.exe
C:\WINNT\system32\iegj32.exe
C:\WINNT\iprf32.exe
C:\WINNT\system32\d3bd32.exe
C:\WINNT\mfcst32.exe
C:\WINNT\mfcyq.exe
C:\WINNT\mfcmf.exe
C:\WINNT\apimt32.exe
C:\WINNT\system32\ntzx32.exe
C:\WINNT\addzf.exe
C:\WINNT\ntil32.exe
C:\WINNT\system32\sysmb.exe
C:\WINNT\system32\atlqf32.exe
C:\WINNT\sdkup32.exe
C:\WINNT\ippa.exe
C:\WINNT\sysgp.exe
C:\WINNT\mshp.exe
C:\WINNT\system32\atlem32.exe
C:\WINNT\system32\d3rd.exe
C:\WINNT\system32\ipen.exe
C:\WINNT\netfn.exe
C:\WINNT\msot32.exe
C:\WINNT\ntto32.exe
C:\WINNT\system32\sdkmj.exe
C:\WINNT\system32\mfcrd32.exe
C:\WINNT\crlo32.exe
C:\WINNT\atlar32.exe
C:\WINNT\addvv32.exe
C:\WINNT\mfcmu.exe



7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.c...n/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review

[hrdwds]

You certainly have an extremely infected system. I am going to take an extra step in an attempt to eliminate most of this junk.


First:
Please download, install, the Ewido Security Suite:
http://www.ewido.net/en/download/

Update the definitions, but do not run it yet.
Reboot into Safe Mode, then run Ewido and remove all it finds.

Post the log file it generates in this thread.


Second:
From the Desktop
Start -> Run -> services.msc  (press 'Enter')
Scroll down the list of services to find Remote Procedure Call
Double click on it
Under Service Status, press 'Stop' button (if not greyed out)
Under Service Type, using pulldown menu, select 'Disabled'
Press 'OK'
Exit


Third:
1. Download AboutBuster  here:
http://www.malwareby...AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mmlmv.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {5A3F2321-6D27-105E-27CD-C0C38D626EDD} - C:\WINNT\addvv32.dll
O2 - BHO: Class - {EE8A6A74-1A15-9D6E-7A99-72AC8CDEC063} - C:\WINNT\system32\windv32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkrw32.exe] C:\WINNT\sdkrw32.exe
O4 - HKLM\..\Run: [sdkal32.exe] C:\WINNT\system32\sdkal32.exe
O4 - HKLM\..\Run: [ntov32.exe] C:\WINNT\ntov32.exe
O4 - HKLM\..\Run: [appma32.exe] C:\WINNT\appma32.exe
O4 - HKLM\..\RunOnce: [mfcmu.exe] C:\WINNT\mfcmu.exe
O4 - HKLM\..\RunOnce: [atlkh.exe] C:\WINNT\system32\atlkh.exe
O4 - HKLM\..\RunOnce: [ntgq32.exe] C:\WINNT\system32\ntgq32.exe
O4 - HKLM\..\RunOnce: [addth.exe] C:\WINNT\system32\addth.exe
O4 - HKLM\..\RunOnce: [javazl32.exe] C:\WINNT\system32\javazl32.exe
O4 - HKLM\..\RunOnce: [addaj32.exe] C:\WINNT\addaj32.exe
O4 - HKLM\..\RunOnce: [ntfp32.exe] C:\WINNT\system32\ntfp32.exe
O4 - HKLM\..\RunOnce: [appkl32.exe] C:\WINNT\appkl32.exe
O4 - HKLM\..\RunOnce: [appga32.exe] C:\WINNT\appga32.exe
O4 - HKLM\..\RunOnce: [ipqw32.exe] C:\WINNT\system32\ipqw32.exe
O4 - HKLM\..\RunOnce: [sdkff.exe] C:\WINNT\system32\sdkff.exe
O4 - HKLM\..\RunOnce: [winod32.exe] C:\WINNT\system32\winod32.exe
O4 - HKLM\..\RunOnce: [iegj32.exe] C:\WINNT\system32\iegj32.exe
O4 - HKLM\..\RunOnce: [iprf32.exe] C:\WINNT\iprf32.exe
O4 - HKLM\..\RunOnce: [d3bd32.exe] C:\WINNT\system32\d3bd32.exe
O4 - HKLM\..\RunOnce: [mfcst32.exe] C:\WINNT\mfcst32.exe
O4 - HKLM\..\RunOnce: [mfcyq.exe] C:\WINNT\mfcyq.exe
O4 - HKLM\..\RunOnce: [mfcmf.exe] C:\WINNT\mfcmf.exe
O4 - HKLM\..\RunOnce: [apimt32.exe] C:\WINNT\apimt32.exe
O4 - HKLM\..\RunOnce: [ntzx32.exe] C:\WINNT\system32\ntzx32.exe
O4 - HKLM\..\RunOnce: [addzf.exe] C:\WINNT\addzf.exe
O4 - HKLM\..\RunOnce: [ntil32.exe] C:\WINNT\ntil32.exe
O4 - HKLM\..\RunOnce: [sysmb.exe] C:\WINNT\system32\sysmb.exe
O4 - HKLM\..\RunOnce: [atlqf32.exe] C:\WINNT\system32\atlqf32.exe
O4 - HKLM\..\RunOnce: [sdkup32.exe] C:\WINNT\sdkup32.exe
O4 - HKLM\..\RunOnce: [ippa.exe] C:\WINNT\ippa.exe
O4 - HKLM\..\RunOnce: [sysgp.exe] C:\WINNT\sysgp.exe
O4 - HKLM\..\RunOnce: [mshp.exe] C:\WINNT\mshp.exe
O4 - HKLM\..\RunOnce: [atlem32.exe] C:\WINNT\system32\atlem32.exe
O4 - HKLM\..\RunOnce: [d3rd.exe] C:\WINNT\system32\d3rd.exe
O4 - HKLM\..\RunOnce: [ipen.exe] C:\WINNT\system32\ipen.exe
O4 - HKLM\..\RunOnce: [netfn.exe] C:\WINNT\netfn.exe
O4 - HKLM\..\RunOnce: [msot32.exe] C:\WINNT\msot32.exe
O4 - HKLM\..\RunOnce: [ntto32.exe] C:\WINNT\ntto32.exe
O4 - HKLM\..\RunOnce: [sdkmj.exe] C:\WINNT\system32\sdkmj.exe
O4 - HKLM\..\RunOnce: [mfcrd32.exe] C:\WINNT\system32\mfcrd32.exe
O4 - HKLM\..\RunOnce: [crlo32.exe] C:\WINNT\crlo32.exe
O4 - HKLM\..\RunOnce: [atlar32.exe] C:\WINNT\atlar32.exe
O4 - HKLM\..\RunOnce: [addvv32.exe] C:\WINNT\addvv32.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F??#????`I) - Unknown owner - C:\WINNT\mfcmu.exe" /s (file missing)


Delete the following files/folders:
(Note: If successful, many of these may have been deleted by Ewido)
C:\WINNT\addvv32.dll
C:\WINNT\system32\windv32.dll
C:\WINNT\sdkrw32.exe
C:\WINNT\system32\sdkal32.exe
C:\WINNT\ntov32.exe
C:\WINNT\appma32.exe
C:\WINNT\mfcmu.exe
C:\WINNT\system32\atlkh.exe
C:\WINNT\system32\ntgq32.exe
C:\WINNT\system32\addth.exe
C:\WINNT\system32\javazl32.exe
C:\WINNT\addaj32.exe
C:\WINNT\system32\ntfp32.exe
C:\WINNT\appkl32.exe
C:\WINNT\appga32.exe
C:\WINNT\system32\ipqw32.exe
C:\WINNT\system32\sdkff.exe
C:\WINNT\system32\winod32.exe
C:\WINNT\system32\iegj32.exe
C:\WINNT\iprf32.exe
C:\WINNT\system32\d3bd32.exe
C:\WINNT\mfcst32.exe
C:\WINNT\mfcyq.exe
C:\WINNT\mfcmf.exe
C:\WINNT\apimt32.exe
C:\WINNT\system32\ntzx32.exe
C:\WINNT\addzf.exe
C:\WINNT\ntil32.exe
C:\WINNT\system32\sysmb.exe
C:\WINNT\system32\atlqf32.exe
C:\WINNT\sdkup32.exe
C:\WINNT\ippa.exe
C:\WINNT\sysgp.exe
C:\WINNT\mshp.exe
C:\WINNT\system32\atlem32.exe
C:\WINNT\system32\d3rd.exe
C:\WINNT\system32\ipen.exe
C:\WINNT\netfn.exe
C:\WINNT\msot32.exe
C:\WINNT\ntto32.exe
C:\WINNT\system32\sdkmj.exe
C:\WINNT\system32\mfcrd32.exe
C:\WINNT\crlo32.exe
C:\WINNT\atlar32.exe
C:\WINNT\addvv32.exe
C:\WINNT\mfcmu.exe



7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.c...n/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review

<{POST_SNAPBACK}>

Logfile of HijackThis v1.99.1
Scan saved at 3:12:39 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FDFA5EAF-F285-22C0-D241-E5C772FB3434} - C:\WINNT\netrh32.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] .C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] .C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] .SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] ."C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [javaeq32.exe] C:\WINNT\javaeq32.exe
O4 - HKLM\..\Run: [sdkrg32.exe] C:\WINNT\system32\sdkrg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchan...ectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchan...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchan...ol/IRCSharc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

AboutBuster seems to be corrupt

[LoPhatPhuud]

Perhaps a corrupted download on About:Buster. The file from the link I provided was fine. Its not really needed now.

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: Class - {FDFA5EAF-F285-22C0-D241-E5C772FB3434} - C:\WINNT\netrh32.dll (file missing)

O4 - HKLM\..\Run: [javaeq32.exe] C:\WINNT\javaeq32.exe
O4 - HKLM\..\Run: [sdkrg32.exe] C:\WINNT\system32\sdkrg32.exe


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINNT\javaeq32.exe
C:\WINNT\system32\sdkrg32.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

[hrdwds]

Perhaps a corrupted download on About:Buster. The file from the link I provided was fine. Its not really needed now.

Before we begin, please be sure that  HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a  temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis.  <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: Class - {FDFA5EAF-F285-22C0-D241-E5C772FB3434} - C:\WINNT\netrh32.dll (file missing)

O4 - HKLM\..\Run: [javaeq32.exe] C:\WINNT\javaeq32.exe
O4 - HKLM\..\Run: [sdkrg32.exe] C:\WINNT\system32\sdkrg32.exe


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following:  (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINNT\javaeq32.exe
C:\WINNT\system32\sdkrg32.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

<{POST_SNAPBACK}>

Logfile of HijackThis v1.99.1
Scan saved at 8:42:37 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] .C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] .C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] .SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] ."C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchan...ectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchan...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchan...ol/IRCSharc.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope this works...this has been a learning experiance for me!!!!

[LoPhatPhuud]

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. This includes SP1 and SP2 if you use Windows XP. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. IE/Spyad: https://netfiles.uiu...ww/resource.htm
c. BHODemon: http://www.definitiv...om/bhodemon.htm

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft...re/default.mspx
NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003.
b. Spybot S&D: http://security.koll...n&page=download
c. AdAware: http://www.lavasoft.de/

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Download and install the disk cleanup utility called Cleanup! from here:
http://cleanup.stevengould.org/
http://www.hijackthi.../CleanUp312.exe

Cleanup! will get rid of any malware which may be hiding in your temp folders (a common hiding place). You may also regain a massive amount of disk space.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Run the disk cleanup utility called Cleanup! that you have already downloaded and installed
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Then reboot into normal mode to let it clean out the remaining files.


8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewa...nti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewa...-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.