hi all,

i have been trying for weeks to get rid of this "about:blank". i am just not able to do it. please can you help me?

here is the log:


Logfile of HijackThis v1.97.7
Scan saved at 10:23:37 AM, on 2/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Q319580.log:culow
C:\Program Files\Windows AdStatus\WinStat.exe
C:\windows\system32\LYCf.exe
C:\WINDOWS\system32\atlwa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\WINDOWS\system32\LYCf.exe
C:\Documents and Settings\User\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
O2 - BHO: (no name) - {AE5B7BC1-9D3F-286F-AC0A-AFD0279261F7} - C:\WINDOWS\d3vg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [LYCf.exe] C:\windows\system32\LYCf.exe
O4 - HKLM\..\Run: [atlwa.exe] C:\WINDOWS\system32\atlwa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab


thank you,
RC

You are using an old version of HiJackThis.
Please download and install the new version (199.0) from one of the following links:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis-199.0 and post the new log in this thread.

sorry, i assumed that all the downloads you all offered had the new version. but i do have it now and i was not able to get it from the one on your first selection. but here is the new log:

thank very much for your help.
rc


Logfile of HijackThis v1.99.1
Scan saved at 1:27:51 PM, on 2/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Q319580.log:culow
C:\Program Files\Windows AdStatus\WinStat.exe
C:\windows\system32\LYCf.exe
C:\WINDOWS\system32\atlwa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\WINDOWS\system32\LYCf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AE5B7BC1-9D3F-286F-AC0A-AFD0279261F7} - C:\WINDOWS\d3vg32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [LYCf.exe] C:\windows\system32\LYCf.exe
O4 - HKLM\..\Run: [atlwa.exe] C:\WINDOWS\system32\atlwa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (NSS) (�%AF夶À¨) - Unknown owner - C:\WINDOWS\Q319580.log:culow.exe (file missing)

First:
Please download and install ADS spy from here:
http://www.bleepingcomputer.com/files/adsspy.php

Take the to read the instructions at that website.

Be sure the 'Quick Scan' option is checked, then press the 'Scan ...' button.

Copy the results and post them in this thread.


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pmmoy.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {AE5B7BC1-9D3F-286F-AC0A-AFD0279261F7} - C:\WINDOWS\d3vg32.dll

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [LYCf.exe] C:\windows\system32\LYCf.exe
O4 - HKLM\..\Run: [atlwa.exe] C:\WINDOWS\system32\atlwa.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service (NSS) (�%AF夶À¨) - Unknown owner - C:\WINDOWS\Q319580.log:culow.exe (file missing)


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\windows\system32\LYCf.exe
C:\WINDOWS\system32\atlwa.exe
C:\WINDOWS\pmmoy.dll
C:\WINDOWS\d3vg32.dll
C:\Program Files\Windows AdStatus\
C:\WINDOWS\SYSTEM32\igfxsrvc.dll
C:\WINDOWS\zeta.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


Third:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Last:
Run HiJackThis again and post a new log in this thread.

:o hi LoPhatPhuud,

i tried to download your first request of ADS. winzip kept trying to open it and kept running me around in a circle, redueing the same stuff over and over. so i finally gave up on that one and tried to go to the second request which was to run hijackthis. my folder "my computer" would not open. It kept freezing the computer. i tried this about 5 times. i also tried to do a search/find but that too would not open. the only thing that would open was the internet page. so i right now am not able to get to the hijackthis from my folder.

this morning i tried to do it all over again thinking this computer needed a rest. but this morning it is the same thing only i couldn't even click on anything, nothing was opening. so i restarted again and things started clicking. after it froze on me twice while trying to open "my computer" on a restart i ran norton antivirus and made a few fixes.

any suggestions on what i should do now or with this new problem. also all of a sudden this computer is running really slow.

i just tried to download hijackthis again but agian winzip wizard will not let me go furthur with a thing.

thanks, rc

Run your antivirus and do a full system scan, including inside compressed files.

Then remove and re-install WInzip adn see if that makes a difference.

>_< i am such a jam now. i did as you said. i have Norton and i ran that and did the fixes. then i un-installed winzip and installed it again and downloaded hijackthis new version. i was able to get rid of the things you said. then i went back to do some of the other stuff you said to do and now i am am the same boat but worse. i have ran norton now about 5 times. un-installed/installed winzip. i am not able to open "mycomputer" , find, hijackthis, etc., etc., i am able to open up norton, adaware and the internet only after i reboot if i have tried to open up other folders or files.

i have no idea where to go from here. i also tried to open hijackthis by redownloading it from the internet, hoping it would opn automatically. but winzip is not letting me do that either. it seems to me to keep interferring.

my other problem it that my computer is running really slow. it is taking about 45 seconds for the internet page, or any of the other pages to open.

sorry for the extra problems. but i just don't know what to do.

thank you lophatphuud,

If there is a folder C:\Program Files\MKC001\, boot into Safe Mode and delete it. Then see if you can open any folders.

:( i did not find that folder.

i did find a folder that says:
c:\windows\system32\igfxsrvc.dll\reinstall

am i supose to have that one.

tu

You do nto want to delete c:\windows\system32\igfxsrvc.dll

THat file is needed.

You should be clean now!!!

hmmmm, how am i clean if about:blank is still controlling my home page and i can't open hjt?

rc

Well it really is hard to do anything when I don;t have the HiJackThis log I has requested. All I could so was assume it was clean.

So, if you want continued help, post a new HiJackThis log.

hi,

i am sorry but i am pulling out my hair with this computer. i finally figured out a way to get you a hjt log. i am still not able to open "my computer", "my documents" and such. what i was able to do however was while in safe mode run hjt, copied and paste log onto word and open it from my desktop. so far that is the only thing that is working for me.

also, when i go to shut down the computer i get two windows that are still running. i don't think they are supose to be there. 1 is tfswctrl.exe and the other is qbagent2001.

anyway, i am happy to get a log to you,

thank you,


Logfile of HijackThis v1.99.1
Scan saved at 1:11:51 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\My Documents\HJT99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B74FC677-1BFA-DEF5-DEB7-DBD24D544D78} - C:\WINDOWS\apiqv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [apptq.exe] C:\WINDOWS\system32\apptq.exe
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [nwiz] C:\hp\drivers\video\Nforce\nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) (� %AFå ¤À¨) - Unknown owner - C:\WINDOWS\Q319580.log:culow.exe (file missing)

1. Download AboutBuster here:
http://www.malwarebytes.biz/AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qaasm.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B74FC677-1BFA-DEF5-DEB7-DBD24D544D78} - C:\WINDOWS\apiqv.dll

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [apptq.exe] C:\WINDOWS\system32\apptq.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O23 - Service: Network Security Service (NSS) (� %AFå ¤À¨) - Unknown owner - C:\WINDOWS\Q319580.log:culow.exe (file missing)

Delete the following files/folders:
C:\WINDOWS\qaasm.dll
C:\WINDOWS\apiqv.dll
C:\Program Files\Windows AdStatus\
C:\WINDOWS\system32\apptq.exe
C:\WINDOWS\Q319580.log:culow.exe

7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com



Second:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.



Third:
Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review


Fourth:
Start HiJackThis version 199.1 or later)

Press 'Config' -> 'Misc Tools' -> 'Open ADS Spy...'

Be sure the first two boxes are checked and the third is not checked

Press 'Scan'

When finshed, press 'Save Log...'

Copy the log and post it in this thread.

Hi Lophattphud,

wow. that is a lot to do.

i was not again able to get into "my computer" so as before i copied and pasted the hjt log while is safe mode and to the desktop.

i downloaded both "hoster" and"control.exe" they are both on my desktop but i am having trouble opening them with winzip.

i went to http://housecall.antivirus.com to do the free scan and it was only suported by explorer which gave me a window saying that it was taken over by "nlpt.dll" and had to close. now explorer will not stay open for me to try it again.

i am not sure how to get into see the "activex" controls

here are the following logs first is the hjt: second is the "buster". i will finish the rest that you asked me to do in my next post.

Logfile of HijackThis v1.99.1
Scan saved at 9:09:01 AM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\My Documents\HJT99\HijackThis.exe

O2 - BHO: (no name) - {6F8A1992-AF2F-5DB6-2B3E-65738F300B53} - C:\WINDOWS\system32\ntlp32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [nwiz] C:\hp\drivers\video\Nforce\nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe


O K.... my "buster log did not turn out like i wanted. i will just post this one for now so that i don't lose it.

thanks, rc

hi, i am back with the following logs. i had to do everything in "safe mode". also i tried to do the deldomains.inf download and was unable to work.

this CWS hijacker, is it realated to cwshredder? should i get rid of it?


buster log:

Scanned at: 5:13:11 PM on: 2/28/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\001246_.tmp:zlltt
C:\WINDOWS\BcdSetup.log:uohrj
C:\WINDOWS\cdPlayer.ini:eomna
C:\WINDOWS\control.ini:lcjed
C:\WINDOWS\EReg196.dat:ymkam
C:\WINDOWS\GoogleToolbar.dll:jawia
C:\WINDOWS\hegames.ini:ubgnu
C:\WINDOWS\hpfsched.exe:uohiu
C:\WINDOWS\ieuninst(2).exe:aolic
C:\WINDOWS\ieuninst.exe:aolic
C:\WINDOWS\mdm(10).ini:gmjid
C:\WINDOWS\mdm(11).ini:gmjid
C:\WINDOWS\mdm(13).ini:gmjid
C:\WINDOWS\mdm(14).ini:gmjid
C:\WINDOWS\mdm(16).ini:gmjid
C:\WINDOWS\mdm(17).ini:gmjid
C:\WINDOWS\mdm(19).ini:gmjid
C:\WINDOWS\mdm(2).ini:gmjid
C:\WINDOWS\mdm(20).ini:gmjid
C:\WINDOWS\mdm(21).ini:gmjid
C:\WINDOWS\mdm(22).ini:gmjid
C:\WINDOWS\mdm(23).ini:gmjid
C:\WINDOWS\mdm(3).ini:gmjid
C:\WINDOWS\mdm(4).ini:gmjid
C:\WINDOWS\mdm(5).ini:gmjid
C:\WINDOWS\mdm(7).ini:gmjid
C:\WINDOWS\mdm(8).ini:gmjid
C:\WINDOWS\mdm(9).ini:gmjid
C:\WINDOWS\nsreg.dat:vcztw
C:\WINDOWS\ntdtcsetup.log:odsgq
C:\WINDOWS\orun32(10).isu:rupxe
C:\WINDOWS\orun32(11).isu:rupxe
C:\WINDOWS\orun32(13).isu:rupxe
C:\WINDOWS\orun32(15).isu:rupxe
C:\WINDOWS\orun32(16).isu:rupxe

C:\WINDOWS\orun32(17).isu:rupxe
C:\WINDOWS\orun32(19).isu:rupxe
C:\WINDOWS\orun32(2).isu:rupxe
C:\WINDOWS\orun32(20).isu:rupxe
C:\WINDOWS\orun32(21).isu:rupxe
C:\WINDOWS\orun32(22).isu:rupxe
C:\WINDOWS\orun32(4).isu:rupxe
C:\WINDOWS\orun32(5).isu:rupxe
C:\WINDOWS\orun32(6).isu:rupxe
C:\WINDOWS\orun32(8).isu:rupxe
C:\WINDOWS\orun32(9).isu:rupxe
C:\WINDOWS\Q308387.log:nwlvv
C:\WINDOWS\Q315000.log:rtxyi
C:\WINDOWS\Q320174.log:qzcjn
C:\WINDOWS\Q320678.log:wyxps
C:\WINDOWS\Q323255.log:jzvoh
C:\WINDOWS\Q329390.log:ewnpz
C:\WINDOWS\Q331953.log:qqsxj
C:\WINDOWS\Q810577.log:onedl
C:\WINDOWS\Q817287.log:lsovh
C:\WINDOWS\QFN.ini:etyab
C:\WINDOWS\REGLOCS.OLD:nkvra
C:\WINDOWS\SchedLgU.Txt:kymsl
C:\WINDOWS\TASKMAN.EXE:ljlzi
C:\WINDOWS\WMSysPrx.prx:jrlfb


Removed 6 Random Key Entries
Removed! : C:\WINDOWS\awyma.dat
Removed! : C:\WINDOWS\cxobx.dat
Removed! : C:\WINDOWS\iyxmg.dat
Removed! : C:\WINDOWS\tccoh.dat
Removed! : C:\WINDOWS\wlege.dat
Removed! : C:\WINDOWS\system32\aefsw.dat
Removed! : C:\WINDOWS\system32\axxvk.dat
Removed! : C:\WINDOWS\system32\chotx.dat
Removed! : C:\WINDOWS\system32\dheqq.dat
Removed! : C:\WINDOWS\system32\diqoo.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\001246_.tmp:zlltt
C:\WINDOWS\BcdSetup.log:uohrj
C:\WINDOWS\cdPlayer.ini:eomna
C:\WINDOWS\control.ini:lcjed
C:\WINDOWS\EReg196.dat:ymkam
C:\WINDOWS\GoogleToolbar.dll:jawia
C:\WINDOWS\hegames.ini:ubgnu
C:\WINDOWS\hpfsched.exe:uohiu
C:\WINDOWS\ieuninst(2).exe:aolic
C:\WINDOWS\ieuninst.exe:aolic
C:\WINDOWS\mdm(10).ini:gmjid
C:\WINDOWS\mdm(11).ini:gmjid
C:\WINDOWS\mdm(13).ini:gmjid
C:\WINDOWS\mdm(14).ini:gmjid
C:\WINDOWS\mdm(16).ini:gmjid
C:\WINDOWS\mdm(17).ini:gmjid
C:\WINDOWS\mdm(19).ini:gmjid
C:\WINDOWS\mdm(2).ini:gmjid
C:\WINDOWS\mdm(20).ini:gmjid
C:\WINDOWS\mdm(21).ini:gmjid
C:\WINDOWS\mdm(22).ini:gmjid
C:\WINDOWS\mdm(23).ini:gmjid
C:\WINDOWS\mdm(3).ini:gmjid
C:\WINDOWS\mdm(4).ini:gmjid
C:\WINDOWS\mdm(5).ini:gmjid
C:\WINDOWS\mdm(7).ini:gmjid
C:\WINDOWS\mdm(8).ini:gmjid
C:\WINDOWS\mdm(9).ini:gmjid
C:\WINDOWS\nsreg.dat:vcztw
C:\WINDOWS\ntdtcsetup.log:odsgq
C:\WINDOWS\orun32(10).isu:rupxe
C:\WINDOWS\orun32(11).isu:rupxe
C:\WINDOWS\orun32(13).isu:rupxe
C:\WINDOWS\orun32(15).isu:rupxe
C:\WINDOWS\orun32(16).isu:rupxe
C:\WINDOWS\orun32(17).isu:rupxe
C:\WINDOWS\orun32(19).isu:rupxe
C:\WINDOWS\orun32(2).isu:rupxe
C:\WINDOWS\orun32(20).isu:rupxe
C:\WINDOWS\orun32(21).isu:rupxe
C:\WINDOWS\orun32(22).isu:rupxe
C:\WINDOWS\orun32(4).isu:rupxe
C:\WINDOWS\orun32(5).isu:rupxe
C:\WINDOWS\orun32(6).isu:rupxe
C:\WINDOWS\orun32(8).isu:rupxe
C:\WINDOWS\orun32(9).isu:rupxe
C:\WINDOWS\Q308387.log:nwlvv
C:\WINDOWS\Q315000.log:rtxyi
C:\WINDOWS\Q320174.log:qzcjn
C:\WINDOWS\Q320678.log:wyxps
C:\WINDOWS\Q323255.log:jzvoh
C:\WINDOWS\Q329390.log:ewnpz
C:\WINDOWS\Q331953.log:qqsxj
C:\WINDOWS\Q810577.log:onedl
C:\WINDOWS\Q817287.log:lsovh
C:\WINDOWS\QFN.ini:etyab
C:\WINDOWS\REGLOCS.OLD:nkvra
C:\WINDOWS\SchedLgU.Txt:kymsl
C:\WINDOWS\TASKMAN.EXE:ljlzi
C:\WINDOWS\WMSysPrx.prx:jrlfb


Attempted Clean Of Temp folder.
Pages Reset... Done!



hjt sds spy log:

C:\WINDOWS\Active Setup Log.txt : ktssxs (11592 bytes)
C:\WINDOWS\apiag(2).exe : vlzgv (96578 bytes)
C:\WINDOWS\apiag(2).exe : vmddtf (7305 bytes)
C:\WINDOWS\apiag.exe : vlzgv (103572 bytes)
C:\WINDOWS\apiag.exe : vmddtf (7305 bytes)
C:\WINDOWS\apipu32.exe : yogwpa (68096 bytes)
C:\WINDOWS\appfb.exe : gnkys (30699 bytes)
C:\WINDOWS\Clony.ini : qxhnym (11592 bytes)
C:\WINDOWS\cmsetacl.log : iyzasp (7305 bytes)
C:\WINDOWS\COM+.log : pipfx (30699 bytes)
C:\WINDOWS\comsetup.log : bzkfuz (3567 bytes)
C:\WINDOWS\comsetup.log : vrghw (11591 bytes)
C:\WINDOWS\d3th32.exe : enumqt (10919 bytes)
C:\WINDOWS\DAVIDSON.INI : fwrjwf (10919 bytes)
C:\WINDOWS\DirectX.log : ppfxno (30699 bytes)
C:\WINDOWS\einit.exe : laeaoj (10919 bytes)
C:\WINDOWS\entpack.ini : qvsdzf (11592 bytes)
C:\WINDOWS\ERegClnt.INI : cimjz (93184 bytes)
C:\WINDOWS\ERegClnt.INI : iwlibi (7471 bytes)
C:\WINDOWS\GoogleToolbar(10).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(10).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(11).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(11).dll : bpgqc (3347 bytes)
C:\WINDOWS\GoogleToolbar(11).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(12).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(12).dll : bpouxe (11736 bytes)
C:\WINDOWS\GoogleToolbar(12).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(12).dll : vosqsn (10919 bytes)
C:\WINDOWS\GoogleToolbar(13).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(13).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(14).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(14).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(14).dll : uprdf (56320 bytes)
C:\WINDOWS\GoogleToolbar(15).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(15).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(15).dll : opkvux (30699 bytes)
C:\WINDOWS\GoogleToolbar(16).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(16).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(16).dll : upgzap (7471 bytes)
C:\WINDOWS\GoogleToolbar(17).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(17).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(18).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(18).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(19).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(19).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(19).dll : mqrfuz (3567 bytes)
C:\WINDOWS\GoogleToolbar(2).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(2).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(2).dll : uyggry (30699 bytes)
C:\WINDOWS\GoogleToolbar(20).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(20).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(21).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(21).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(22).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(22).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(3).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(3).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(3).dll : leakal (10919 bytes)
C:\WINDOWS\GoogleToolbar(4).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(4).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(4).dll : xjcxqm (64000 bytes)
C:\WINDOWS\GoogleToolbar(4).dll : ykkeha (11592 bytes)
C:\WINDOWS\GoogleToolbar(5).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(5).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(6).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(6).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(7).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(7).dll : ikckjd (7471 bytes)
C:\WINDOWS\GoogleToolbar(7).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(8).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(8).dll : jawia (10919 bytes)
C:\WINDOWS\GoogleToolbar(9).dll : afkxc (10919 bytes)
C:\WINDOWS\GoogleToolbar(9).dll : jawia (10919 bytes)
C:\WINDOWS\hh.exe : hhontl (30699 bytes)
C:\WINDOWS\Icg32(2).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(2).dll : uyzzlp (11592 bytes)
C:\WINDOWS\Icg32(3).dll : moanw (7305 bytes)
C:\WINDOWS\Icg32(3).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(4).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(5).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(6).dll : eopfmg (10919 bytes)
C:\WINDOWS\Icg32(6).dll : fpktr (3347 bytes)
C:\WINDOWS\Icg32(6).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(7).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32(8).dll : fakkhc (7471 bytes)
C:\WINDOWS\Icg32(8).dll : rtiwa (98856 bytes)
C:\WINDOWS\Icg32.dll : rtiwa (103572 bytes)
C:\WINDOWS\Icg32.dll : xqdgt (56320 bytes)
C:\WINDOWS\ICOA.INI : mddhwq (10919 bytes)
C:\WINDOWS\ICOA.INI : whisgr (30699 bytes)
C:\WINDOWS\iecj.exe : ysvpjm (3567 bytes)
C:\WINDOWS\iekv.dll : ewvnra (30699 bytes)
C:\WINDOWS\iis6.log : pxyfnv (11592 bytes)
C:\WINDOWS\ipfb32.exe : iyrlpy (7305 bytes)
C:\WINDOWS\ipxy32.exe : azjqji (3567 bytes)
C:\WINDOWS\IsUninst(2).exe : kiwbr (11388 bytes)
C:\WINDOWS\IsUninst(2).exe : qtudk (10919 bytes)
C:\WINDOWS\izfkh.dll : lanjgv (68096 bytes)
C:\WINDOWS\jautoexp.dat : djhgt (3347 bytes)
C:\WINDOWS\jautoexp.dat : iufie (26624 bytes)
C:\WINDOWS\jautoexp.dat : pyikjx (30699 bytes)
C:\WINDOWS\javaww.exe : zmhmxt (30699 bytes)
C:\WINDOWS\javazo.exe : vztxdp (11592 bytes)
C:\WINDOWS\KB823559.log : gsmkyr (7471 bytes)
C:\WINDOWS\KB823559.log : vjzln (56320 bytes)
C:\WINDOWS\KB834707.log : ysfqab (3567 bytes)
C:\WINDOWS\KB840987.log : duhawp (68096 bytes)
C:\WINDOWS\KB841356.log : rtpvum (64000 bytes)
C:\WINDOWS\mdm(12).ini : gmjid (10919 bytes)
C:\WINDOWS\mdm(12).ini : rvtgaw (7305 bytes)
C:\WINDOWS\mdm(15).ini : gmjid (10919 bytes)
C:\WINDOWS\mdm(15).ini : jvdlcg (3567 bytes)
C:\WINDOWS\mdm(18).ini : gmjid (10919 bytes)
C:\WINDOWS\mdm(18).ini : uowzwi (68096 bytes)
C:\WINDOWS\mdm(6).ini : gmjid (10919 bytes)
C:\WINDOWS\mdm(6).ini : tuurfc (10919 bytes)
C:\WINDOWS\mfctx32.exe : uwnmza (11592 bytes)
C:\WINDOWS\mfctx32.exe : wofkbp (30699 bytes)
C:\WINDOWS\msdfmap.ini : mlsbbe (10919 bytes)
C:\WINDOWS\netvu.exe : xmvuqr (30699 bytes)
C:\WINDOWS\nsw.log : jpjwp (11591 bytes)
C:\WINDOWS\nsw.log : xtalb (56320 bytes)
C:\WINDOWS\orun32(12).isu : rupxe (11591 bytes)
C:\WINDOWS\orun32(12).isu : wbrktn (10919 bytes)
C:\WINDOWS\orun32(14).isu : edcrxh (11592 bytes)
C:\WINDOWS\orun32(14).isu : rupxe (11591 bytes)
C:\WINDOWS\orun32(18).isu : rupxe (11591 bytes)
C:\WINDOWS\orun32(18).isu : xevwzs (7305 bytes)
C:\WINDOWS\orun32(3).isu : ifypnf (3547 bytes)
C:\WINDOWS\orun32(3).isu : rupxe (11591 bytes)
C:\WINDOWS\orun32(7).isu : ayqupp (68096 bytes)
C:\WINDOWS\orun32(7).isu : rupxe (11591 bytes)
C:\WINDOWS\piaxi.txt : ezxmcu (11592 bytes)
C:\WINDOWS\piaxi.txt : rljtna (10919 bytes)
C:\WINDOWS\pmmoy.dll : gzureu (30699 bytes)
C:\WINDOWS\POCE98.DLL : waqref (7305 bytes)
C:\WINDOWS\Prairie Wind.bmp : cuicg (10919 bytes)
C:\WINDOWS\Prairie Wind.bmp : pvrwpa (10919 bytes)
C:\WINDOWS\Q307869.log : rluuks (30699 bytes)
C:\WINDOWS\Q308677.log : zctkss (3567 bytes)
C:\WINDOWS\Q309691.log : awchmv (30699 bytes)
C:\WINDOWS\Q309691.log : earls (96578 bytes)
C:\WINDOWS\Q310437.log : rcmpvc (68096 bytes)
C:\WINDOWS\Q314862.log : nvlntp (64000 bytes)
C:\WINDOWS\Q314862.log : rapkv (103572 bytes)
C:\WINDOWS\Q314862.log : uselji (11592 bytes)
C:\WINDOWS\Q315403.log : hcmji (30699 bytes)
C:\WINDOWS\Q317277.log : mtozlk (7471 bytes)
C:\WINDOWS\Q318966.log : ijezzi (64000 bytes)
C:\WINDOWS\Q318966.log : kuhec (29696 bytes)
C:\WINDOWS\Q319580.log : culow (10919 bytes)
C:\WINDOWS\Q319580.log : xuhefv (3567 bytes)
C:\WINDOWS\Q319949.log : tcsus (30699 bytes)
C:\WINDOWS\Q322011.log : pvzjhf (64000 bytes)
C:\WINDOWS\Q323322.log : ozhcm (7305 bytes)
C:\WINDOWS\Q327979.log : qkkwuw (11592 bytes)
C:\WINDOWS\Q329115.log : graho (3347 bytes)
C:\WINDOWS\Q329441.log : yxasp (10919 bytes)
C:\WINDOWS\Q329441.log : zssni (56320 bytes)
C:\WINDOWS\Q329834.log : bmvhii (7471 bytes)
C:\WINDOWS\Q810243.log : ungmlt (3567 bytes)
C:\WINDOWS\Q810565.log : eqmqlp (11592 bytes)
C:\WINDOWS\Q811630.log : ggwin (30699 bytes)
C:\WINDOWS\Q811630.log : trvqf (11591 bytes)
C:\WINDOWS\Q811630.log : xrxdfr (7305 bytes)
C:\WINDOWS\Q815021.log : prqiic (3567 bytes)
C:\WINDOWS\QDQICK.ini : asiocm (68096 bytes)
C:\WINDOWS\QDQICK.ini : jhzbb (11591 bytes)
C:\WINDOWS\RBLASTER.INI : ujcmy (3347 bytes)
C:\WINDOWS\RBLASTER.INI : yueznr (11736 bytes)
C:\WINDOWS\REGLOCS.OLD : quxeqc (7471 bytes)
C:\WINDOWS\sdkgn32.exe : sglibm (10919 bytes)
C:\WINDOWS\Setup1.exe : chotxz (30699 bytes)
C:\WINDOWS\setupapi.log : vkfyzz (10919 bytes)
C:\WINDOWS\setuperr.log : eckjhu (10919 bytes)
C:\WINDOWS\smscfg.ini : akkowj (10919 bytes)
C:\WINDOWS\Spyware Begone Setup Log.txt : dnxjhf (10919 bytes)
C:\WINDOWS\Spyware Begone Setup Log.txt : vtoaxx (11592 bytes)
C:\WINDOWS\Sti_Trace.log : ddozse (30699 bytes)
C:\WINDOWS\Sti_Trace.log : gfdack (11592 bytes)
C:\WINDOWS\svwui.ini : guzktk (3567 bytes)
C:\WINDOWS\SYMEVENT.LOG : crdem (10919 bytes)
C:\WINDOWS\SYMEVENT.LOG : zfvgwv (7305 bytes)
C:\WINDOWS\syscz32.exe : rgolyf (3567 bytes)
C:\WINDOWS\syscz32.exe : zvkqwu (68096 bytes)
C:\WINDOWS\sysdx.exe : oerrpr (11592 bytes)
C:\WINDOWS\SYSINI.QTW : bgwuou (30699 bytes)
C:\WINDOWS\SYSINI.QTW : lybxwp (30699 bytes)
C:\WINDOWS\syslp32.exe : gfjxrb (7305 bytes)
C:\WINDOWS\System32YG6U.SHD : rhmpno (68096 bytes)
C:\WINDOWS\tsoc.log : zqmobt (3567 bytes)
C:\WINDOWS\twain.dll : mluzku (11592 bytes)
C:\WINDOWS\twain.dll : ukzkqk (30699 bytes)
C:\WINDOWS\twunk_16.exe : olpse (30699 bytes)
C:\WINDOWS\twunk_32.exe : eeneff (7305 bytes)
C:\WINDOWS\UniFish3.exe : ksqzxg (64000 bytes)
C:\WINDOWS\UniFish3.exe : kyizxq (11586 bytes)
C:\WINDOWS\UNWISE.EXE : hgqxbs (3547 bytes)
C:\WINDOWS\vb.ini : agjcdc (68096 bytes)
C:\WINDOWS\vbaddin.ini : jixjmy (3567 bytes)
C:\WINDOWS\vihys.log : cbiooi (64000 bytes)
C:\WINDOWS\winhelp.exe : hydrh (103572 bytes)
C:\WINDOWS\winhlp32.exe : jvsbgn (30699 bytes)
C:\WINDOWS\winza.exe : szgkd (11586 bytes)


thank you,
rc

That looks much better already.


First:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HiJackThis:
O2 - BHO: (no name) - {6F8A1992-AF2F-5DB6-2B3E-65738F300B53} - C:\WINDOWS\system32\ntlp32.dll

O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe


Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.

are you aware that this link: www.mvps.org/winhelp2002/DelDomains.inf is just setup info? it gives me nothing to download. even through explorer.

it asks me if i want to open or save the file, this is what i keep getting when i open it:

; DelDomains.inf
; Created by: Mike Burgess Microsoft MVP
; http://mvps.org/winhelp2002/
;
; Warning: Deletes all entries in the Restricted & Trusted Zone list
;
; To execute this file: in Explorer - right-click (this file)
; Select Install from the Menu.

[version]
signature="$CHICAGO$"

[DefaultInstall]
DelReg=DelTemps
AddReg=AddTemps

[DelTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

; Recreate the keys to avoid a restart

[AddTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

Just right click on this link and select 'Save Target' or 'Save Link as', depending on your browser. Then follow the previous instructions.'


http://www.mvps.org/winhelp2002/DelDomains.inf

hi,

my hjt is in it's own folder and it is in "my computre" folder. i have to go into safe mode and run hjt, copy and paste a log into "microsoft word" and leave the log on the desk top in order to open it. i am still not able to open "my computer" folder unless i am in "safe mode" . the "logs are in a folder for now on my desktop. that is the only way i can get the reading for you.

thank you for telling me how to do the download of http://www.mvps.org/winhelp2002/DelDomains.inf. it worked.

here is my new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 1:25:43 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\My Documents\HJT99\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [nwiz] C:\hp\drivers\video\Nforce\nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [apptq.exe] C:\WINDOWS\system32\apptq.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe

rc

First:
1. Download AboutBuster here:
http://www.malwarebytes.biz/AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ixxrh.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [apptq.exe] C:\WINDOWS\system32\apptq.exe

O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe

Delete the following files/folders:
C:\WINDOWS\system32\ixxrh.dll
C:\WINDOWS\system32\apptq.exe
C:\WINDOWS\system32\atlzi.exe

7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review


Second:
Start HiJackThis version 199.1 or later)

Press 'Config' -> 'Misc Tools' -> 'Open ADS Spy...'

Be sure the first two boxes are checked and the third is not checked

Press 'Scan'

Check each item found and press 'Remove Selected'

ok, hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:28:18 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\My Documents\HJT99\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [nwiz] C:\hp\drivers\video\Nforce\nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe



buster log:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


please note that i am still not able to open "my computer" folder or open "search"

thank you,
rc

We need to shutdown the Network Security Service.

From the Desktop,

Start -> run -> services.msc

Scroll down and look for either the wierd characters or the name Network Security Service from this entry

O23 - Service: Network Security Service (� 6QÔõ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\atlzi.exe

Once you find it, right click on 'Properties'

On the window that open look for 'Startup Type' in the middle and change it to 'disabled'.

Reboot and delete the file: C:\WINDOWS\system32\atlzi.exe, if present.

Run HiJackThis again and post a new log in this thread.


Once this is done your lofg should be clean. I will check for information on the other issues.

hi lophatphuud,

yeah, i think it is done. you have been so helpfull. i was not able to find the one file but i did disable it. here is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 1:50:39 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\WINDOWS\system32\S3apphk.exe
C:\hp\drivers\keyboard\PS2.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\HJT99\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\hp\drivers\keyboard\PS2.EXE
O4 - HKLM\..\Run: [nwiz] C:\hp\drivers\video\Nforce\nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

thank you very much,
rc

i'm sorry, i also meant to say that i am able to open "mycomputer", "search" ect... folders. it is nice to be able to work with them again.

again, thank you.

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm
d. Bugoff: http://castlecops.com/downloads-file-374.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003.
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/ Due to AdAware's recent decision to remove WhenU from its detection database, only to quickly add it back in response to public outcry I can no longer recommend this product as a first line of defense. For those interested, here is a link to discussion regarding this: http://www.dslreports.com/forum/remark,12665642~mode=flat

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. On the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.

Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.