# Solved: Searches being redirected to other search sites



## juleski32 (Apr 25, 2004)

When using Google, MSN or Yahoo searches, plenty of links show up, however, when I click on one, it is re-directed to another search site. If I back out and click it again, it goes to the correct site (verified with address). Also, the news stories in Google News are dating back to July 2006. Once I click on 'refresh' , the page is brought current. I tried to use system restore, but it was turned off (which is I know I used earlier this year and it was 'on'). Also, Window Explorer keeps getting an error and shutting down. HJT log is posted further down in this string.


----------



## valis (Sep 24, 2004)

you are missing the top part of the log; looks something like this:

Logfile of HijackThis v1.99.1
Scan saved at 7:47:17 AM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


----------



## ozrom1e (May 16, 2006)

THey are also missing the tail end of the log file. We will need the whole thing to properly diagnose the problem you have, please re-post the whole log file?

A bit more here seeing as the last HJT log file was an older version here is the new one to download

To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
Filename = 1137518044HJTsetup.exe
Save the file to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialog box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
Come back here to this thread and Paste the log in your next reply. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

A security expert should take a look at your log - please be patient.

Thank you


----------



## valis (Sep 24, 2004)

if they are using something other than xp/2k, they could not missing the tail end. That's why I didn't mention it, and asked for the header instead.


----------



## juleski32 (Apr 25, 2004)

Here is an updated log :

Logfile of HijackThis v1.99.1
Scan saved at 6:24:04 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SmartFix\smartfix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## valis (Sep 24, 2004)

cool, thanks, wait for a security expert to come by and parse your log. They are id'd by the gold badge next to their name.

v


----------



## ozrom1e (May 16, 2006)

Now that is a log file. Please be patient a HJT expert will be here to diagnose the log file presently, you will know the tech by the little gold shield to the right side of their name.


----------



## JohnWill (Oct 19, 2002)

You may just have to reset the IE search options,

Tools, Internet Options, Programs, Reset WEB Settings.

See if that restores the proper search pages. You'll have to fix your home page if you don't like Microsoft's choice.


----------



## juleski32 (Apr 25, 2004)

Tried resetting IE settings. Shut the system down and brought back up . . . still having same problem.


----------



## JohnWill (Oct 19, 2002)

OK, time to move this to security.


----------



## kdd9 (Mar 25, 2005)

Hi, juleski32. Sorry that your topic got overlooked. If you still require assistance please run a fresh scan with HijackThis, post the log back here and I will be glad to review it for you.


----------



## juleski32 (Apr 25, 2004)

Yep. I guess I got overlooked for awhile. Unfortunately, I'm still having a problem. I've tried a series of different programs (AdAware, Shredder, Spybot, Windows Malware Removal). I keep getting an error when running AdAware and Windows Malware Removal. I also keep getting an error when using Windows Media Player as well as Windows Explorer. Search engine results are still being hijacked to other search sites. Here is an updated HJT log. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 2:55:00 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## kdd9 (Mar 25, 2005)

Please disable Windows Defender so that it does not interfere with the changes we are about to make.

* Open Windows Defender
* Click Tools
* Click General Settings
* Scroll down to Real Time Protection Options
* Uncheck Turn on Real Time Protection (recommended)
* After you uncheck this, click on the Save button
* Close Windows Defender

Next, download and install *CCleaner* from here.
Do not run CCleaner just yet.

Download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that *Launch AVG Anti-Spyware* is checked.
On the main screen under *Your Computer's security*.
Click on *Change state* next to *Resident shield*. It should now change to inactive.
Click on *Change state* next to *Automatic updates*. It should now change to inactive.
Next to *Last Update*, click on *Update now*. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.

Right-click the AVG Anti-Spyware Tray Icon and uncheck *Start with Windows*.
Right-click the AVG Anti-Spyware Tray Icon and select *Exit*. Confirm by clicking *Yes*.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates.
Download the* Full database* to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Open HijackThis, do a system scan only, and when it finishes place a check before the following lines if present:
*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
*
Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.

Please print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode:

Now, boot the computer into Safe Mode

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
(Choose your usual account.)
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Next, using Explorer, navigate to the following folder marked in *bold*, and delete it by right-clicking on the folder and choosing "Delete".
C:\Program Files\*MarketBrowser*

*Run CCleaner:*(Still in Safe Mode)

* Double-click it's desktop icon to open the program.
* Click the "Options" button, then click "Advanced".
* _Un_check, "Only delete files in Windows Temp folders older than 48 hours".
* Click the "Cleaner" button (where the brush is.)
* Click the "Run Cleaner" button.
* Click "OK" to proceed.
* Let it scan and clean until it's finished, and when it says, "Cleaning complete" in the status window, exit the program.
_Note: Please do not use the "Issues" button on CCleaner as this may lead to problems._

*Run AVG Antispyware* (Still in Safe Mode)
Close ALL open Windows / Programs / Folders. Please start *AVG Anti-Spyware* and run a full scan.

Click on *Scanner* on the toolbar.
Click on the *Settings* tab.
Under *How to act?*
Click on* Recommended Action* and choose *Quarantine* from the popup menu.

Under *How to scan?*
All checkboxes should be ticked.

Under *Possibly unwanted software: *
All checkboxes should be ticked.

Under *Reports:*
Select *Automatically generate report after every scan* and uncheck *Only if threats were found*.

Under *What to scan?*
Select *Scan every file*.


Click on the *Scan* tab.
Click on *Complete System Scan* to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
*IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.*
Make sure that *Set all elements to:* shows *Quarantine* *(1)*, if not click on the link and choose *Quarantine* from the popup menu. *(2)*
At the bottom of the window click on the *Apply all Actions* button. *(3)*









When done, click the *Save Scan Report* button. *(4)*
Click the *Save Report as* button.
Save the report to your Desktop.

Right-click the AVG Anti-Spyware Tray Icon and select *Exit*. Confirm by clicking *Yes*.
*Reboot in Normal Mode.*

Then please do an online scan with Kaspersky WebScanner
(You will need to use Internet Explorer for this.)

Click on *Kaspersky Online Scanner*

You will be promted to install an ActiveX component from Kaspersky, Click *Yes*.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on *NEXT
*
Now click on *Scan Settings*
In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:*

*Extended (if available otherwise Standard)*

*Scan Options:*

*Scan Archives
Scan Mail Bases*

Click *OK*
Now under select a target to scan:
Select *My Computer*

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the *Save as Text* button:

Save the file to your desktop.

Then run a new *HijackThis* scan, save the logfile, and post it back here along with the reports from *AVG Antispyware* and *Kaspersky*.

Also, please let me know how the computer is behaving now. If you are still getting the error messages can you please tell me what they say?
If you are still getting redirected to another site can you tell me what site?


----------



## juleski32 (Apr 25, 2004)

Got half way through the AVG SPyware program and got tossed out (3 separate attempts at running). I kept getting the error message (from AVG): "AVG Anti SPyware 7.5 Exception: something bad happened in the application. Error diagnostic file saved in Crogram Files . . . " The program stopped at the same file scan point each time. It was in one of my music media folders. I tried to delete that file and I keep getting the 'Windows Explorer has encountered an error and must shut down'. I tried accessing that file through other programs and searches and every time, I get the error message and then get tossed out. Is there any other way to delete the contents of that file?


----------



## juleski32 (Apr 25, 2004)

OK. I think I got rid of one of the problem media files so I was finally able to complete the AVG scan. The Internet Explorer hijacked links seems to have been fixed (half dozen searches all went to the correct pages). So far, Windows Explorer is also working. Below are my newest HJT log, AVG report and Kaspersky report. Thanks a lot for your help!

Logfile of HijackThis v1.99.1
Scan saved at 10:48:40 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	7:55:02 PM 11/19/2006

+ Scan result:

[176] VM_00D70000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
[200] VM_00C20000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).
[888] VM_00A00000 -> Downloader.Zlob.aty : Cleaned with backup (quarantined).

::Report end


----------



## juleski32 (Apr 25, 2004)

Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 19, 2006 10:47:02 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/11/2006
Kaspersky Anti-Virus database records: 242968
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 138661
Number of viruses found: 9
Number of infected objects: 17 / 0
Number of suspicious objects: 46
Duration of the scan process: 02:15:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11122006-135512.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-19_Log.ALUSchedulerSvc.LiveUpdate	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06547E97.tmp	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B544916.tmp	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E4D7FD1.tmp	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E970FC2.exe	Infected: Trojan-Downloader.Win32.Small.dbx	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\110818D0.tmp	Infected: not-a-virus:AdWare.Win32.Cydoor	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D8F7D97.exe	Infected: Trojan-Downloader.Win32.Small.cjk	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Confdntl.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Content.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Privacy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Restrict.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Spam.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\WebHist.log	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB/[From LWood7824 <[email protected]>][Date 11 Feb 2003 13:54:19 -0800]/UNNAMED/gra-kingsize[1].scr	Infected: Email-Worm.Win32.Klez.h	skipped
C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB/[From LWood7824 <[email protected]>][Date 11 Feb 2003 13:54:19 -0800]/UNNAMED	Infected: Email-Worm.Win32.Klez.h	skipped
C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB/[From LWood7824 <[email protected]>][Date 11 Feb 2003 13:54:19 -0800]/UNNAMED/gra-kingsize[1].scr	Infected: Email-Worm.Win32.Klez.h	skipped
C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB/[From LWood7824 <[email protected]>][Date 11 Feb 2003 13:54:19 -0800]/UNNAMED	Infected: Email-Worm.Win32.Klez.h	skipped
C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB	Mail MS Outlook 5: infected - 4	skipped
C:\Documents and Settings\Owner\Application Data\Symantec\PendingAlertsQueue.log	Object is locked	skipped
C:\Documents and Settings\Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 9 Jun 2003 20:32:34 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 9 Jun 2003 20:32:34 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Tue, 10 Jun 2003 20:20:43 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Tue, 10 Jun 2003 20:20:43 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:24:53 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:24:53 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:35:39 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:35:39 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:39:02 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:39:02 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:43:16 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:43:16 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:56:40 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 20:56:40 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 21:07:54 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 12 Jun 2003 21:07:54 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Fri, 13 Jun 2003 17:48:07 -0700]/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Fri, 13 Jun 2003 17:48:07 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:16:26 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:16:26 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:16:26 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:21:26 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:21:26 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 16 Jun 2003 21:21:26 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:03:49 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:03:49 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:03:49 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:08:38 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:08:38 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Wed, 18 Jun 2003 19:08:38 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:40:01 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:40:01 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:40:01 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:45:52 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:45:52 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 19 Jun 2003 20:45:52 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 26 Jun 2003 21:29:09 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 26 Jun 2003 21:29:09 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Thu, 26 Jun 2003 21:29:09 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 30 Jun 2003 22:15:29 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 30 Jun 2003 22:15:29 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 30 Jun 2003 22:15:29 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Fri, 4 Jul 2003 21:15:59 -0700]/UNNAMED/UNNAMED/html	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Fri, 4 Jul 2003 21:15:59 -0700]/UNNAMED/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Fri, 4 Jul 2003 21:15:59 -0700]/UNNAMED	Suspicious: not-a-virus:URL.IDFrame	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx	Mail MS Outlook 5: suspicious - 45	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_670.dat	Object is locked	skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\SmitfraudFix.zip/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\SmitfraudFix.zip	ZIP: infected - 1	skipped
C:\Documents and Settings\Owner\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG	Object is locked	skipped
C:\hp\bin\KillWind.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.p	skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log	Object is locked	skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log	Object is locked	skipped
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE	Infected: not-a-virus:AdWare.Win32.MyWay.b	skipped
C:\Program Files\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\Program Files\Norton AntiVirus\Savrt\0910NAV~.TMP	Object is locked	skipped
C:\Program Files\Norton Personal Firewall\nisum.dat	Object is locked	skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP8\change.log	Object is locked	skipped
C:\unzipped\hijackthis\backup-20031201-210703-820.dll	Infected: not-a-virus:AdWare.Win32.MyWay.w	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\default	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SAM	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\software	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\system	Object is locked	skipped
C:\WINDOWS\SYSTEM32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\SYSTEM32\h323log.txt	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000004-10021102}.CDF	Object is locked	skipped

Scan process completed.


----------



## kdd9 (Mar 25, 2005)

Thanks. :up:
Be back soon with a reply.


----------



## kdd9 (Mar 25, 2005)

Please keep Windows Defender disabled again while you are working on this.

First, navigate to *C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine* , open up the Quarantine folder, select all of the contents and hit the "Delete" button.

Next, you need to compact all folders in your email program(s):


* Open Outlook Express

* On the *File* menu, click *Work Offline* so that no new messages will be arriving.

* In the Folder list, click on *Outlook Express* so that no e-mail or news folder is open.

* Close the Folder list by clicking the X in the upper right-hand corner of the list panel. Alternatively you can click *Layout* on the *View* menu, and then clear the checkbox for "Folder List".

* On the *File* menu, point to *Folder*, and then click *Compact All Folders*. Do not use your computer until the process is complete, which might take several minutes.

* Repeat with Outlook5 and/or any other e-mail programs

If an error occurs, close Outlook Express, re-open it, and begin the process again from the top. If the same error occurs again, close Outlook Express, restart your computer (or log off and then log on again), open Outlook Express and then begin the whole process again.

Then, either go to the folder in the appropriate e-mail program and delete the e-mail in question or find and delete it using the file path...

For this one, it appears that it's an e-mail received on February 11, 2003 from LWood7824. This seems to be in the MSN Inbox. You may be able to just open the e-mail program and do a search for e-mails from that individual using the date parameter. Alternatively, you can search for it using the file path, but I think, for this one, it may be easier just to open the program and search for the e-mail itself...

C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB/[From LWood7824 <[email protected]>][Date 11 Feb 2003 13:54:19 -0800]/UNNAMED/gra-kingsize[1].scr
-------------------------------------------------------------------------------------------------------------------------

This entry mentions Microsoft Outlook 5...

C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{C1C74730-FC8F-01C1-0200-0000D0EDF9E2}\Mail\Folders on MSN - Inbox.MailDB Mail MS Outlook 5
so try to find it in Outlook5 or on MSN and delete it.
-------------------------------------------------------------------------------------------------------------------------

This one appears to be in Sent Items.dbx so it may be easier to track down via the file path. This time, the program in question is Outlook Express.

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Sent Items.dbx/[From "Juleski" <[email protected]>][Date Mon, 9 Jun 2003 20:32:34
--------------------------------------------------------------------------------------------------------------------------

If you still have the SmitfraudFix tool on your system, please delete it and download the newest version and run Option #1:

Download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

-------------------------------------------------------------------------------------------------------------------------

Finally, please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report
*Note:* You have to use Internet Explorer to do the online scan.

So once that is finished please post the *rapport.txt* from SmitfraudFix, the *Panda* Active Scan report, and a new *HijackThis log*.


----------



## juleski32 (Apr 25, 2004)

I had trouble deleting the Quarrantined items (I was finally able to get all except a folder named "Portal", which had no contents). As for the Outlook5 - I don't have Outlook5 or MSN e-mail on this system, that I know of. I deleted the files out of Outlook Express, I hope.

Here are the reports. Thanks

SmitFraudFix v2.123

Scan done at 22:24:00.10, Tue 11/21/2006
Run from C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\Tech Support Help\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Panda Report:

Incident Status Location

Adware:adware/ncase  Not disinfected c:\windows\didduid.ini 
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay 
Adware:adware/delta Not disinfected Windows Registry 
Adware:adware/iesearchbar Not disinfected Windows Registry 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\Tech Support Help\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/Processor  Not disinfected C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\Tech Support Help\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe 
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe 
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe 
Adware:Adware/Startpage.ACO Not disinfected C:\Program Files\Pinnacle\InstantCDDVD\InstantAudio\datrans.DE 
Adware:Adware/Startpage.ACO Not disinfected C:\Program Files\Pinnacle\InstantCDDVD\InstantCopy\datrans.DE 
Adware:Adware/Startpage.ACO Not disinfected C:\Program Files\Pinnacle\InstantCDDVD\InstantMusic\datrans.DE 
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Program Files\Kazaa\bdcore.dll 
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-3826821714-1582333133-359561344-1003\Dc45\Process.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\unzipped\hijackthis\backup-20031201-210703-820.dll


----------



## juleski32 (Apr 25, 2004)

Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:34 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## juleski32 (Apr 25, 2004)

Also, it seems the searches are being redirected once again.
For example, I searched for registry repair and a microsoft support site came up. I clicked on it and was sent to :
http://www.toseeka.com/search.php?q=Fix_Registry&source=look_r+043+001_keyword_Fix_Registry

Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:34 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## kdd9 (Mar 25, 2005)

Again, you will want to keep Windows Defender disabled during this part.
--------------------------------------------------------------
Open up the Control Panel, click Add/Remove Programs, find *MyWay Search Bar, MyWay,* or any other MyWay listing, and, if present, click it once to highlight it, then click "Remove" to uninstall it.
Repeat for any *Kazza* entries, and *iesearchbar* entries.

Next, we need to set XP to show all files:
To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Put a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the Hidden files and folders section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
-------------------------------------------------------------

Please print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode:

Now, boot the computer into Safe Mode

# Restart your computer.
# When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
#Choose your usual account.
# Select the option for Safe Mode using the arrow keys.
# Then press enter on your keyboard to boot into Safe Mode.[\list]

Next, using Windows Explorer, locate and delete the following folders marked in *bold* and delete them if present. Delete ONLY the part in bold:

C:\PROGRAM FILES\*MyWay*

C:\PROGRAM FILES\*IESEARCHBAR*

C:\Program Files\Program Files\*Kazaa*

Then, locate this folder:
C:\Documents and Settings\Owner\*Cookies*
but instead of deleting it, open it up, and delete all of the items in there. ("Edit" button > "Select All" > "Edit" button > "Delete")
-------------------------------------------------------------
Next, using Explorer again, locate and delete the following _files_ marked in *bold* if present:

c:\windows\*didduid.ini*

C:\Program Files\Pinnacle\InstantCDDVD\InstantAudio\*datrans.DE*

C:\Program Files\Pinnacle\InstantCDDVD\InstantCopy\*datrans.DE*

C:\Program Files\Pinnacle\InstantCDDVD\InstantMusic\*datrans.DE*

*Run CCleaner:*

* Double-click it's desktop icon to open the program.
* Click the "Options" button, then click "Advanced".
* _Un_check, "Only delete files in Windows Temp folders older than 48 hours".
* Click the "Cleaner" button (where the brush is.)
* Click the "Run Cleaner" button.
* Click "OK" to proceed.
* Let it scan and clean until it's finished, and when it says, "Cleaning complete" in the status window, exit the program.
_Note: Please do not use the "Issues" button on CCleaner as this may lead to problems._

Reboot to Normal Mode

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I would like to see an uninstall list from HijackThis too please.

* Open up HijackThis again.
* Click on "Open the Misc Tools section".
* Click on "Open Uninstall Manager".
* Click on "Save list".
* Save it to your Desktop.
* Copy and paste the list in your next reply.

So please post the following:

* Combofix log
* HijackThis uninstall list
* New HijackThis log


----------



## juleski32 (Apr 25, 2004)

I was not able to find the MYWAY, IESEARCHBAR or KAZAA in Add/Remove Programs or in Windows Explorer (I did a complete system search as well and nothing came up).

I did delete all Cookies, except for an item named 'index.dat'. I received the message that the file was in use and it could not be deleted (no other windows were open and I had just brought the system up).

Here is the combofix report:

Owner - 06-11-24 20:29:05.53 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Owner\My Documents\Virus problems\2006 Virus Problems\Tech Support Help\Round 2"

((((((((((((((((((((((((((((((( Files Created from 2006-10-24 to 2006-11-24 ))))))))))))))))))))))))))))))))))

2006-11-24	20:19 dr-h-----	C:\Documents and Settings\Owner\Recent
2006-11-23	12:22 d---s----	C:\Documents and Settings\Owner\Cookies
2006-11-22	19:53 d--------	C:\Program Files\Sunbelt Software
2006-11-22	19:45 d--------	C:\Program Files\BillP Studios
2006-11-22	19:45 d--------	C:\Documents and Settings\Owner\Application Data\WinPatrol
2006-11-21	22:06 d--------	C:\WINDOWS\SYSTEM32\ActiveScan
2006-11-19	20:20 d--------	C:\WINDOWS\SYSTEM32\Kaspersky Lab
2006-11-19	13:09 d--------	C:\Program Files\CCleaner
2006-11-19	12:50	3,968	--a------	C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2006-11-19	12:50 d--------	C:\Program Files\Grisoft
2006-11-17	20:29 d--------	C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-17	18:48 d--------	C:\Program Files\SpywareBlaster
2006-11-17	18:10	4,668	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2006-11-16	16:22 d--------	C:\a0705196800f7750e2
2006-11-12	18:23 d--------	C:\Program Files\Hijackthis
2006-11-12	16:59 d--------	C:\!KillBox
2006-11-12	13:55 d--------	C:\Program Files\Windows Defender
2006-11-12	11:55 d--------	C:\Program Files\Spyware Doctor
2006-11-04	14:14	1,245,696	--a------	C:\WINDOWS\SYSTEM32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-24 20:26	--------	d-a------	C:\Program Files\Common Files
2006-11-24 20:26	--------	d--------	C:\Program Files\Common Files\Symantec Shared
2006-11-22 07:05	--------	d--------	C:\Program Files\WinZip
2006-11-22 07:03	--------	d--------	C:\Program Files\SymNetDrv
2006-11-22 07:03	--------	d--------	C:\Program Files\Symantec
2006-11-21 23:28	--------	d--------	C:\Program Files\Norton Personal Firewall
2006-11-21 23:21	--------	d--------	C:\Program Files\Internet Explorer
2006-11-21 23:19	--------	d--------	C:\Program Files\Google
2006-11-21 23:19	--------	d--------	C:\Program Files\FinePixViewer
2006-11-21 22:34	--------	d--------	C:\Documents and Settings\Owner\Application Data\Symantec
2006-11-21 21:58	--------	d--------	C:\Documents and Settings\Owner\Application Data\Identities
2006-11-21 21:27	--------	d--------	C:\Program Files\MSN
2006-11-17 20:54	--------	dr-------	C:\Program Files\Program Files
2006-11-17 20:29	--------	d--------	C:\Program Files\Lavasoft
2006-11-12 13:55	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-11-12 12:45	--------	d--------	C:\Program Files\WeiserWare
2006-11-03 19:22	--------	d--------	C:\Program Files\Java
2006-10-13 04:35	142336	--a------	C:\WINDOWS\SYSTEM32\nwprovau.dll
2006-09-12 21:01	1084416	--a------	C:\WINDOWS\SYSTEM32\msxml3.dll
2006-08-25 07:45	617472	--a------	C:\WINDOWS\SYSTEM32\comctl32.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\AHEADN~1\\Ahead\\data\\Xtras\\mssysmgr.exe"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ZingSpooler"="C:\\Program Files\\Easy Upload Tools\\Drivers\\Spooler\\ZingSpooler.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\DSS]
@="C:\\WINDOWS\\\\BBStore\\DSS\\dssagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\system32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\system32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCActiveMenu"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\ActiveMenu\\DDCActiveMenu.exe\" -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCMan"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\DDCManager\\DDCMan.exe\" -Background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3tray2"
"hkey"="HKLM"
"command"="S3tray2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AutoStarterR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]	
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries set to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O2 - BH
O2 - BH
O2 - BH
O4 - HKLM\..\Run: [Iomega Startup 
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ATTBroadbandClient] C:\Program Files\AT&T\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [ATTBroadbandUpdate] C:\Program Files\AT&T\BBClient\Programs\SAUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PR
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WIND
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash 
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-24 20:32:59.53 
C:\ComboFix.txt ... 06-11-24 20:32

HJT Uninstall log:
24 Games for Windows 95
Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
Agfa ScanWise 1.02
Alchemy and Bejeweled Pack
AVG Anti-Spyware 7.5
Blasterball Wild
Cakewalk Pyro 2003
ccCommon
CCleaner (remove only)
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
Cypress USB Mass Storage Driver Installation
Dark Orbit
Detto IntelliMover
DiMAGE Viewer
Disc API
Disc API
EA.com Matchup
EA.com Update
Easy Internet Sign-up
Family Tree Maker 7.0
FinePixViewer Ver.3.2
FUJIFILM USB Driver
Fujifilm USB MemoryCard ReaderWriter
GemMaster 2
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
hp center
hp deskjet 845c series
hp deskjet 845c series (Remove only)
HP Instant Support
HP RecordNow
ImageStation Easy Upload Tools
Inactive HP Printer Drivers (Remove only)
InterActual Player
Internet Worm Protection
InterVideo WinDVD 4
Iomega Backup 4.1
IomegaWare
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Kai's Power Goo SE
Kaspersky Online Scanner
KazooStudio
KBD
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic 3D Coloring Book Amazing Animals
MarketBrowser
MediaFACE II
Microsoft .NET Framework 1.1
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office 2000 SR-1 Professional
Microsoft Plus! Dancer LE
Microsoft Web Publishing Wizard 1.52
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MicroStaff WINASPI
Monopoly Star Wars
MSN Internet Software
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MUSICMATCH® Jukebox
My Photo Center
Napster
NAVShortcut
neoDVDstandard
Nero PhotoShow Express
Nero Suite
NoAdware 2.0
NoAdware v4.0
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Personal Firewall
Norton Protection Center
Norton WMI Update
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PartyPoker
PC-Doctor for Windows
PigPen
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickTime
Real RM Converter v1.10
RealPlayer
Registrar Lite 2.00
Rhapsody
Rio Internet Update
Rio Music Manager
Rio Taxi
RoadRash
Roxio Burn Engine
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
SabreWing 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Shockwave
SmartFix (remove only)
Sonic Foundry Super Duper Music Looper XPress
Sound Blaster Audigy 2
Space Rocks
SPBBC
Speedway
SpySubtract
SpywareBlaster v3.5.1
Sunbelt CounterSpy
SureThing CD Labeler - Stomper Edition 32 bit
Symantec
Symantec Network Driver Update
Tcl 8.0.5 for Windows
The Print Shop 20
TPP Storage Driver Installation
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax ItsDeductible 2005
Ulead iPhoto Express 1.1
Ultimate Mahjongg
Uno(TM) CD-Rom
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB
USB Storage Adapter (TPP)
USB Storage Adapter FX (SM1)
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
Vegas Games®
WexTech AnswerWorks
WildTangent Channel Manager
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series Winter Fun Pack
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
Yahoo! Auto Outlook Import
Yahoo! Photos Easy Upload Tool


----------



## juleski32 (Apr 25, 2004)

Here's the updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:08 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## kdd9 (Mar 25, 2005)

Got it. Thanks juleski32. I'll need a little time to go through the ComboFix log and have it checked.
Be back as soon as possible.


----------



## juleski32 (Apr 25, 2004)

Thanks. One more thing that I am now noticing is that when the searches are being re-directed, the address of "67-29-139-199/click/?affiliate" shows up briefly in the address bar before I am redirected to the other search pages. I looked up the sight and it belongs to "abcsearch", which is another search engine. Not sure if that helps any.

I also downloaded Internet Explorer 7.0 last night, as the system has been running really, really slow. Nothing changed.


----------



## kdd9 (Mar 25, 2005)

Okay, I finally made it back. Sorry for the delay. Holidays can be like that.

Thanks for the additional information. That may prove to be very useful.
Don't worry about the index.dat file that wouldn't delete; that is normal.

Please open the Control Panel, choose "Add/Remove Programs", find and remove the following by clicking the entry once to highlight it, then clicking the Remove button to uninstall it:

J2SE Runtime Environment 5.0 Update 6
MarketBrowser
NoAdware 2.0
NoAdware v4.0
PartyPoker

and these below are optional removals -- leave them only if you feel that you just can't do without them -- they are risky as are many free downloads:

Vegas Games®
WildTangent Channel Manager

Then close the Add/Remove Programs window and the Control Panel window.

Now click the Start button and then click My Computer.
Double-click on Local Disk ( C: ).
Double-click on Program Files.
Find the folder for Market Browser, right-click on it and from the menu click Delete. (Click Yes if prompted to confirm deletion.)
Repeat for the following folders in Program Files if present:

NoAdware 2.0
NoAdware v4.0
PartyPoker
MyWay (Any folder with myway in the name)
IESEARCHBAR
Kazaa

And if you chose to remove Vegas Games and/or WildTangent you can delete these folders too:

Vegas Games® 
WildTangent

Next, hit the back button in the upper left-hand corner and you will be back to ( C: ) where you should see the Windows folder. Double-click on it.
Find the folder for bbstore, right-click on it and delete it.

(I hope you are not too attached to PartyPoker. It is considered a very risky site and is on IE SpyAds restricted list.
Here are links to some poker sites regarded as safe for your reference. )

* http://www.pokerstars.net/ - This is a free to use/play site. 
* http://www.pokerstars.com - This is the paid for version.
-------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------

Next, please *download* the *Killbox by Option^Explicit*.

*Note*:* In the event you already have Killbox, this is a new version that I need you to download*.

 *Save* it to your *desktop*.
Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file path below to the clipboard* by highlighting *ALL* it and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*
C:\WINDOWS\SYSTEM32\tmp.reg
*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

_If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again._

-----------------------------------------------------------------------------------------------

It's always a good idea to back up the registry before making any changes to it. If everything is OK after a few days, and you do not wish to keep the registry backup file, you can delete it.

At the taskbar, click Start|Run. Type *Regedit* and press Return. The registry editor opens.
On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Now copy and paste the contents of the Code box below into Notepad. It must be Notepad, not Wordpad.
Make sure that there is NO space before "REGEDIT4".
Make sure that there _is_ a blank line at the bottom or the fix will not work.


```
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\DSS]
```
Click "File" > "Save As" and save the file as *fix.reg*
Choose to save as type **all files* and save it to the desktop.
Now, doubleclick on the new *fix.reg* icon on the desktop and when it asks you if you want to merge the contents to the registry, click *yes/ok.*

Reboot the pc once more to Normal Mode.

That took care of some things that needed to go. Now to address the specific issue of the browser redirects:

The IP address you mentioned (67.29.139.199) is a known search hijacker (abcsearch) and is dealt with by installing the MVPS HOSTS file. That is what you need to do next.
Here is a link for the download of the MVPS HOSTS file and instructions. It is very simple and takes only seconds to do. You dont really need to get concerned with the technical data on the page (although it may be worth a read later); just click on hosts.zip, download it, unzip it, and double-click on the mvps.bat file that it creates. Thats it.

Then please download DelDomains.inf , made by Winhelp2002.- Right-click and select: "Save Target As"
To use: right-click and select: "Install" (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

_Note, if you use SpywareBlaster and or IESpyad, it will be necessary to re-install the protection both provide. For SpywareBlaster, run the program and 're-enable all protection'. For IESpyad, run the batch file and reinstall the protection._

Now, one last thing. ComboFix shows this folder on ( C: ) drive:

C:\a0705196800f7750e2

We may want to delete it, but Id like to know whats in it first so, if you would please:
*Start > My Computer*
Double-click on *Local Disk ( C: )*
Find that folder (a0705196800f7750e2), double-click on it and see whats inside. It may be a text file like msxml4-KB927978-enu.log or something but do let me know what the folder contains and well take it from there.

Also please describe how the pc is behaving once that is all done.

If you need help or have a question on any of the above dont hesitate to ask.


----------



## juleski32 (Apr 25, 2004)

I tried to remove the Wild Tangent folder through Add/Remove, but a screen popped up asking me if it was ok to delete Nero Photoshow Express. When I went in through Windows Explorer, the contents of the Wild Tangent file were just games - nothing to do with Nero. I went ahead and deleted the folder through W. E. .

Killbox worked without a problem.

Looks like you forgot to include the link for the MVPS file, but I found the website and clicked on hosts.zip as you instructed (the page I went to was : http://www.mvps.org/winhelp2002/hosts.htm).

The strange C:\a070519xxxxx file did have the log you guessed (named exactly what you said in your example). It is a really long log, so I copied just part of it so you could see it. I'll follow up in a bit and let you know how everything is running. Thanks a lot for your help. My husband may be let out of the doghouse before Christmas.

juleski32

=== Verbose logging started: 11/16/2006 16:22:44 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (E0:BC) [16:22:44:453]: Resetting cached policy values
MSI (c) (E0:BC) [16:22:44:453]: Machine policy value 'Debug' is 0
MSI (c) (E0:BC) [16:22:44:453]: ******* RunEngine:
******* Product: c:\a0705196800f7750e2\msxml.msi
******* Action: 
******* CommandLine: **********
MSI (c) (E0:BC) [16:22:44:468]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E0:BC) [16:22:44:500]: Grabbed execution mutex.
MSI (c) (E0:BC) [16:22:44:828]: Cloaking enabled.
MSI (c) (E0:BC) [16:22:44:828]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (E0:BC) [16:22:44:859]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (2C:F0) [16:22:44:953]: Grabbed execution mutex.
MSI (s) (2C:28) [16:22:44:953]: Resetting cached policy values
MSI (s) (2C:28) [16:22:44:953]: Machine policy value 'Debug' is 0
MSI (s) (2C:28) [16:22:44:953]: ******* RunEngine:
******* Product: c:\a0705196800f7750e2\msxml.msi
******* Action: 
******* CommandLine: **********
MSI (s) (2C:28) [16:22:45:265]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (2C:28) [16:22:45:765]: File will have security applied from OpCode.
MSI (s) (2C:28) [16:22:46:171]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'c:\a0705196800f7750e2\msxml.msi' against software restriction policy
MSI (s) (2C:28) [16:22:46:171]: SOFTWARE RESTRICTION POLICY: c:\a0705196800f7750e2\msxml.msi has a digital signature
MSI (s) (2C:28) [16:22:48:250]: SOFTWARE RESTRICTION POLICY: c:\a0705196800f7750e2\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (2C:28) [16:22:48:312]: End dialog not enabled
MSI (s) (2C:28) [16:22:48:312]: Original package ==> c:\a0705196800f7750e2\msxml.msi
MSI (s) (2C:28) [16:22:48:312]: Package we're running from ==> c:\WINDOWS\Installer\3fbc6.msi
MSI (s) (2C:28) [16:22:48:578]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (2C:28) [16:22:48:687]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (2C:28) [16:22:48:734]: MSCOREE not loaded loading copy from system32
MSI (s) (2C:28) [16:22:49:390]: Machine policy value 'TransformsSecure' is 0
MSI (s) (2C:28) [16:22:49:390]: User policy value 'TransformsAtSource' is 0
MSI (s) (2C:28) [16:22:49:468]: Machine policy value 'DisablePatch' is 0
MSI (s) (2C:28) [16:22:49:468]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (2C:28) [16:22:49:468]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (2C:28) [16:22:49:484]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (2C:28) [16:22:49:484]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (2C:28) [16:22:49:484]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (2C:28) [16:22:49:484]: Transforms are not secure.
MSI (s) (2C:28) [16:22:49:484]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=c:\a0705196800f7750e2 CLIENTUILEVEL=3 CLIENTPROCESSID=480 
MSI (s) (2C:28) [16:22:49:484]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (2C:28) [16:22:49:484]: Product Code passed to Engine.Initialize: ''
MSI (s) (2C:28) [16:22:49:484]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (2C:28) [16:22:49:484]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (2C:28) [16:22:49:484]: Product not registered: beginning first-time install
MSI (s) (2C:28) [16:22:49:484]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (2C:28) [16:22:49:484]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (2C:28) [16:22:49:484]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (2C:28) [16:22:49:500]: Adding new sources is allowed.
MSI (s) (2C:28) [16:22:49:500]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (2C:28) [16:22:49:500]: Package name extracted from package path: 'msxml.msi'
MSI (s) (2C:28) [16:22:49:500]: Package to be registered: 'msxml.msi'
MSI (s) (2C:28) [16:22:49:500]: Note: 1: 2729 
MSI (s) (2C:28) [16:22:49:515]: Note: 1: 2729 
MSI (s) (2C:28) [16:22:49:531]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
MSI (s) (2C:28) [16:22:49:531]: Machine policy value 'DisableMsi' is 0
MSI (s) (2C:28) [16:22:49:531]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (2C:28) [16:22:49:531]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (2C:28) [16:22:49:531]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (2C:28) [16:22:49:531]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (2C:28) [16:22:49:531]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (2C:28) [16:22:49:531]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'c:\a0705196800f7750e2'.
MSI (s) (2C:28) [16:22:49:531]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (2C:28) [16:22:49:531]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '480'.
MSI (s) (2C:28) [16:22:49:531]: TRANSFORMS property is now: 
MSI (s) (2C:28) [16:22:49:531]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (2C:28) [16:22:49:531]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (2C:28) [16:22:49:531]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (2C:28) [16:22:49:531]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (2C:28) [16:22:49:546]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (2C:28) [16:22:49:546]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (2C:28) [16:22:49:546]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (2C:28) [16:22:49:546]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (2C:28) [16:22:49:562]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (2C:28) [16:22:49:562]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (2C:28) [16:22:49:562]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (2C:28) [16:22:49:562]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (2C:28) [16:22:49:640]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (2C:28) [16:22:49:640]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (2C:28) [16:22:49:640]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (2C:28) [16:22:49:656]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (2C:28) [16:22:49:656]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (2C:28) [16:22:49:656]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (2C:28) [16:22:49:671]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (2C:28) [16:22:49:671]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (2C:28) [16:22:49:687]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu
MSI (s) (2C:28) [16:22:49:687]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (s) (2C:28) [16:22:49:687]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Templates
MSI (s) (2C:28) [16:22:49:687]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (s) (2C:28) [16:22:49:703]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (2C:28) [16:22:49:718]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding USERNAME property. Its value is ' '.
MSI (s) (2C:28) [16:22:49:718]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'c:\WINDOWS\Installer\3fbc6.msi'.
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'c:\a0705196800f7750e2\msxml.msi'.
MSI (s) (2C:28) [16:22:49:718]: Note: 1: 2205 2: 3: PatchPackage 
MSI (s) (2C:28) [16:22:49:718]: Machine policy value 'DisableRollback' is 0
MSI (s) (2C:28) [16:22:49:718]: User policy value 'DisableRollback' is 0
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
=== Logging started: 11/16/2006 16:22:49 ===
MSI (s) (2C:28) [16:22:49:718]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (2C:28) [16:22:49:718]: Doing action: INSTALL
MSI (s) (2C:28) [16:22:49:734]: Running ExecuteSequence
MSI (s) (2C:28) [16:22:49:734]: Doing action: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action start 16:22:49: INSTALL.
MSI (s) (2C:28) [16:22:49:734]: PROPERTY CHANGE: Adding DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Desktop\'.
Action start 16:22:49: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (2C:28) [16:22:49:734]: Doing action: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action ended 16:22:49: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (2C:28) [16:22:49:750]: PROPERTY CHANGE: Adding ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'.
Action start 16:22:49: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (2C:28) [16:22:49:750]: Doing action: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 16:22:49: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (2C:28) [16:22:49:750]: PROPERTY CHANGE: Adding WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 16:22:49: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:765]: Doing action: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 16:22:49: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:765]: PROPERTY CHANGE: Adding SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:765]: Doing action: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 16:22:49: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:781]: PROPERTY CHANGE: Adding WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 16:22:49: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:781]: Doing action: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 16:22:49: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:781]: PROPERTY CHANGE: Adding SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:781]: Doing action: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 16:22:49: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:781]: PROPERTY CHANGE: Adding WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\'.
Action start 16:22:49: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:796]: Doing action: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537
Action ended 16:22:49: WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:796]: PROPERTY CHANGE: Adding SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537.
MSI (s) (2C:28) [16:22:49:796]: Doing action: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB
Action ended 16:22:49: SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537. Return value 1.
MSI (s) (2C:28) [16:22:49:812]: PROPERTY CHANGE: Adding SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB.
MSI (s) (2C:28) [16:22:49:812]: Doing action: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1
Action ended 16:22:49: SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB. Return value 1.
MSI (s) (2C:28) [16:22:49:812]: PROPERTY CHANGE: Adding SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1.
MSI (s) (2C:28) [16:22:49:812]: Doing action: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7
Action ended 16:22:49: SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1. Return value 1.
MSI (s) (2C:28) [16:22:49:828]: PROPERTY CHANGE: Adding SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its value is 'C:\WINDOWS\system32\'.
Action start 16:22:49: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7.
MSI (s) (2C:28) [16:22:49:828]: Doing action: LaunchConditions
Action ended 16:22:49: SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7. Return value 1.
Action start 16:22:49: LaunchConditions.
MSI (s) (2C:28) [16:22:49:828]: Doing action: FindRelatedProducts
Action ended 16:22:49: LaunchConditions. Return value 1.
Action start 16:22:49: FindRelatedProducts.
MSI (s) (2C:28) [16:22:49:843]: Doing action: AppSearch
Action ended 16:22:49: FindRelatedProducts. Return value 1.
Action start 16:22:49: AppSearch.
MSI (s) (2C:28) [16:22:49:843]: Note: 1: 2262 2: Signature 3: -2147287038 
MSI (s) (2C:28) [16:22:49:843]: PROPERTY CHANGE: Adding WINHTTP_51 property. Its value is 'WinHttpRequest Component version 5.1'.
MSI (s) (2C:28) [16:22:49:843]: Skipping action: CCPSearch (condition is false)
MSI (s) (2C:28) [16:22:49:843]: Skipping action: RMCCPSearch (condition is false)
MSI (s) (2C:28) [16:22:49:843]: Doing action: ValidateProductID
Action ended 16:22:49: AppSearch. Return value 1.
Action start 16:22:49: ValidateProductID.
MSI (s) (2C:28) [16:22:49:859]: Doing action: CostInitialize
Action ended 16:22:49: ValidateProductID. Return value 1.
MSI (s) (2C:28) [16:22:49:859]: Machine policy value 'MaxPatchCacheSize' is 10
Action start 16:22:49: CostInitialize.
MSI (s) (2C:28) [16:22:49:890]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'c:\'.
MSI (s) (2C:28) [16:22:49:890]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2205 2: 3: Patch 
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2205 2: 3: PatchPackage 
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2205 2: 3: MsiPatchHeaders 
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2205 2: 3: __MsiPatchFileList 
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2205 2: 3: PatchPackage 
MSI (s) (2C:28) [16:22:49:890]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` 
MSI (s) (2C:28) [16:22:49:890]: Doing action: FileCost
Action ended 16:22:49: CostInitialize. Return value 1.
MSI (s) (2C:28) [16:22:49:921]: Note: 1: 2262 2: Extension 3: -2147287038 
Action start 16:22:49: FileCost.
MSI (s) (2C:28) [16:22:49:921]: Doing action: CostFinalize
Action ended 16:22:49: FileCost. Return value 1.
MSI (s) (2C:28) [16:22:49:921]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:921]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:921]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:921]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:921]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (2C:28) [16:22:49:921]: Note: 1: 2205 2: 3: Patch 
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'c:\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying WindowsFolder property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying CommonFilesFolder property. Its current value is 'C:\Program Files\Common Files\'. Its new value: 'c:\Program Files\Common Files\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59 property. Its value is 'c:\Program Files\Common Files\Microsoft Shared\MSDN\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding payload_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsDirectory.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsPolicies.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2R_6bd6b9abf345378f_x-ww_f529d679\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsManifests.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding payload.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding payload_ul.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying WindowsFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\'. Its new value: 'c:\WINDOWS\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Modifying SystemFolder.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsDirectory.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsPolicies.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding policydir.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Policies\x86_Microsoft.MSXML2_6bd6b9abf345378f_x-ww_b261cf09\'.
MSI (s) (2C:28) [16:22:49:953]: PROPERTY CHANGE: Adding WinSxsManifests.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\Manifests\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding payload.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding payload_ul.7B2FCEFF_0F22_B7E1_FF6B_D6B9ABF34537 property. Its value is 'c:\WINDOWS\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying SystemFolder.FA0F135B_0C6B_485B_9A27_5A4A5044D5AB property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying SystemFolder.781A0624_31FF_4712_BFFD_31C829FFDBF1 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying SystemFolder.246EB7AD_459A_4FA8_83D1_41A46D7634B7 property. Its current value is 'C:\WINDOWS\system32\'. Its new value: 'c:\WINDOWS\system32\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying DesktopFolder property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying ProgramFilesFolder property. Its current value is 'C:\Program Files\'. Its new value: 'c:\Program Files\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding MSXML property. Its value is 'c:\Program Files\MSXML 4.0\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding INC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\inc\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding LIB.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\lib\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding DOC.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Program Files\MSXML 4.0\doc\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Start Menu\Programs\'. Its new value: 'c:\Documents and Settings\All Users\Start Menu\Programs\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Adding MenuMSXML.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is 'c:\Documents and Settings\All Users\Start Menu\Programs\MSXML 4.0\'.
MSI (s) (2C:28) [16:22:49:968]: PROPERTY CHANGE: Modifying DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its current value is 'C:\Documents and Settings\All Users\Desktop\'. Its new value: 'c:\Documents and Settings\All Users\Desktop\'.
MSI (s) (2C:28) [16:22:49:968]: Target path resolution complete. Dumping Directory table...
MSI (s) (2C:28) [16:22:49:968]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: TARGETDIR	, Object: c:\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: WindowsFolder	, Object: c:\WINDOWS\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: CommonFilesFolder	, Object: c:\Program Files\Common Files\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: MicrosoftShared.3FB7DAB3_19E7_40A0_8730_4482CE77AC59	, Object: c:\Program Files\Common Files\Microsoft Shared\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: MSDN.3FB7DAB3_19E7_40A0_8730_4482CE77AC59	, Object: c:\Program Files\Common Files\Microsoft Shared\MSDN\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\system32\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: WinSxsDirectory.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\winsxs\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: policydir_ul.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: payload.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\winsxs\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_ff05e224\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: WinSxsManifests.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\winsxs\Manifests\
MSI (s) (2C:28) [16:22:49:968]: Dir (target): Key: WinSxsPolicies.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537	, Object: c:\WINDOWS\winsxs\Policies\


----------



## juleski32 (Apr 25, 2004)

The system is now dead-slow. Internet Explorer is pretty much useless (using my laptop now). I'll try getting a new HJT log run and posted, but that may prove to be a difficult task. It's a good 2-3 minutes before pages move forward or backwards. 

Also, when a new window pops open and I try to move it, it echos all over the screen (multiples itself as I move the box and prevents me from seeing other windows that are open).

I tried shutting down twice and both times required me to unplug the unit as I could not get the shutdown or reset to work. When I brought the system back up, it told me that I have new hardware installed (nothing is connected, except the printer and the printer is already showing as being installed; I did not run the recommended Install Wizard because I had no idea what it was trying to install, considering the current state of the system).


----------



## juleski32 (Apr 25, 2004)

To give you an idea of how slow the system is now running, HJT took @ 15 minutes to run. Another 30 minutes to get back to this page. Reading up on the MVPS page, seeing that a large host file makes XP run slower. I'll try the fix that they recommend.

Here's the newest HJT log. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:13:09 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## juleski32 (Apr 25, 2004)

Performed fix recommended on the MVPS website and the system is now running similar to how it was running yesterday speed-wise (moderate speed, still not as fast as it was running before all of this started happening a couple of weeks ago). But at least it is not dead-slow anymore.

Still being re-directed to other search sites once I click on a link that comes up in my Google search (example: I do a Google search for frames, a million pages come up, I click on the first link for 'framesrus' and I am re-directed to another search site, which is supplying me with different links). Now the search address looks to be : 85.255.116.222


----------



## kdd9 (Mar 25, 2005)

I guess I did overlook that link. Glad you got the HOSTS file installed.
The *C:\a0705196800f7750e2* file won't bother anything so we can just leave it.
O.K. on WildTangent.
That IP address indicates a possible Wareout infection. I don't know why it's not showing in any of the logs. May be a new variant.
Let's try this:

First, please disable your Symantec Script Blocking from within your Norton so it does not interfere with anything during our fixes now or later. You can enable this whenever we have verified that your system is clean.
To disable Norton AntiVirus Script Blocking:

1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure *"Run fixit"* is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.
*(2000/XP) Only*
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.
Next, go to "Start" > "Run", type *cmd*, and hit "OK".
type
*ipconfig /flushdns*
then hit enter, type exit hit enter
(that space between g and / is needed)

Also, please describe how the pc is behaving now.


----------



## juleski32 (Apr 25, 2004)

The system is still running a little slow, actually, just the internet is. But it so far, I have not been redirected to any other search pages so hopefully that's it. I attempted the ipconfig /flushdns, but I received the message, " Could not flush to DNS resolver cache. Function failed during execution". I tried it (3) times. Below is the new HJT log and the fixaware log. Thanks again for all of your help.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:34 PM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wn&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted 
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM 
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»» 
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


----------



## kdd9 (Mar 25, 2005)

Logs look clean. Nice work. 

I should have had you re-enable the DNS Client service for the last part. No problem, you can do it now.


*Click *Start > Run* and type *services.msc* in the box, then hit the *OK* button.
*Find *DNS Client* on the list and double-click on it.
*Make sure that the *General* tab is selected.
*Next to where it says "Startup type", use the drop-down arrow on the right-hand side and select "*Automatic*".
*At the bottom, click *Apply*.
*Under "Service status", click *Start*.
*Now click *OK* and close the "Services" window.

Then repeat these steps:

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.
Next, go to "Start" > "Run", type *cmd*, and hit "OK".
type
*ipconfig /flushdns*
then hit enter, type exit hit enter
(that space between g and / is needed)

Then you can disable the service again:

* Start | Run (type) "*services.msc*" (no quotes)
* Scroll down to "*DNS Client*", Right-click and select: *Properties*
* Click the drop-down arrow for "*Startup type*"
* Select: *Manual*, click Apply/Ok and restart.

How is it running now?


----------



## juleski32 (Apr 25, 2004)

Seems OK now. I am not being redirected to other search pages, but sometimes when I use the 'back' button, the same page recycles itself. When I click the down arrow box to see my history of pages, the page inbetween my search and the desired page says something about 'double click ad . . . .'. 

Again, thanks for all of your help on this.


----------



## kdd9 (Mar 25, 2005)

You're welcome. I'm glad to help.

Please download F-secure's *Blacklight* from here.

Once you click on the above link you will be presented with a prompt asking what you would like to do with the file. I suggest you save the file directly to your desktop and run it from there. Once the file has finished downloading you will see it's icon on the desktop.

To start the program simply double-click on the *blbeta.exe* icon and you will be presented with the license agreement. Select the option that is labeled "I accept the agreement" and then press the *Next* button.

To start scanning your computer for possible rootkits, press the *Scan* button. Blacklight will now start scanning your computer for any hidden files or processes. As it scans your processes and files it will update its status to reflect what it is scanning and if it has found any hidden items.

When the scanning is done, the *Next* button will become available and you should click on it. If Blacklight did not find any hidden items you will see a screen showing that no hidden items were found. You can then press the *Exit* button to exit the program as Blacklight did not find any rootkits on your computer. If, on the other hand, Blacklight did find some hidden items, you will be presented with a screen showing a list of the processes and files hidden on your computer.

Do NOT attempt to fix any items at this point as Blacklight may include legitimate items in it's scan results!

Blacklight, when it performs a scan, will create a log file in the same folder that you ran the program from. That folder would be your Windows Desktop. The file name of the log file will start with *fsbl-* followed by the data and some other numbers. An example is *fsbl-20060518203951.log.*
---------------------------------------------------------------------------------------------------------------------------

Download this file - combofix.exe

and save it to your desktop. Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

*"%userprofile%\desktop\combofix.exe" /wow*

Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to *start* --> *run* and copy/paste in the following:

*"%userprofile%\desktop\combofix.exe" /wow*

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
new hijackthis log
combofix log
blacklight log (fslb...)

*use separate posts to ensure the logs don't get cut off.


----------



## juleski32 (Apr 25, 2004)

My home page is now defaulting to MSN.com. I've changed/applied/saved the Internet Options several times, but on each boot-up, it returns to MSN.com. It's a much better option than what has been happening, but not sure why this just started happening. Thanks

The new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:32:41 AM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Easy Upload Tools\Drivers\Spooler\ZingSpooler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEADN~1\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gear Security Service (GearSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


----------



## juleski32 (Apr 25, 2004)

The Backlight log:

12/03/06 20:17:01 [Info]: BlackLight Engine 1.0.47 initialized
12/03/06 20:17:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/03/06 20:17:02 [Note]: 7019 4
12/03/06 20:17:02 [Note]: 7005 0
12/03/06 20:17:18 [Note]: 7006 0
12/03/06 20:17:18 [Note]: 7011 1444
12/03/06 20:17:19 [Note]: 7026 0
12/03/06 20:17:19 [Note]: 7026 0
12/03/06 20:17:37 [Note]: FSRAW library version 1.7.1020
12/03/06 20:34:11 [Note]: 7007 0

The Combofix log:

Owner - 06-12-03 20:50:38.45 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Owner\desktop"
Command switches used :: /wow

((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))

2006-12-03	21:11 d--------	C:\WINDOWS\erdnt
2006-12-03	20:38 d--------	C:\WINDOWS\temp
2006-12-02	19:36	10,344	--a------	C:\WINDOWS\SYSTEM32\drivers\symlcbrd.sys
2006-12-02	19:36 d--------	C:\Program Files\Norton AntiVirus
2006-12-02	09:27 d--------	C:\Program Files\Norton Personal Firewall
2006-12-02	08:33	99,352	--a------	C:\WINDOWS\SYSTEM32\ccPasswd.dll
2006-12-02	08:33	95,480	--a------	C:\WINDOWS\SYSTEM32\ccTrust.dll
2006-12-02	08:33	62,736	--a------	C:\WINDOWS\SYSTEM32\SymStore.dll
2006-12-01	06:47 d--------	C:\fixwareout
2006-11-25	08:19	178,408	--a------	C:\WINDOWS\SYSTEM32\muweb.dll
2006-11-25	08:19	127,208	--a------	C:\WINDOWS\SYSTEM32\mucltui.dll
2006-11-24	22:42 d--------	C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2006-11-24	22:41 d--------	C:\Program Files\Windows Live Toolbar
2006-11-24	22:21 d--------	C:\WINDOWS\WBEM
2006-11-24	22:21 d--------	C:\WINDOWS\SYSTEM32\en-US
2006-11-24	22:18 d--h-c---	C:\WINDOWS\ie7
2006-11-24	22:14	121,856	---------	C:\WINDOWS\SYSTEM32\xmllite.dll
2006-11-24	22:13 d--------	C:\WINDOWS\network diagnostic
2006-11-24	20:19 dr-h-----	C:\Documents and Settings\Owner\Recent
2006-11-23	12:22 d--hs----	C:\Documents and Settings\Owner\Cookies
2006-11-22	19:53 d--------	C:\Program Files\Sunbelt Software
2006-11-22	19:45 d--------	C:\Program Files\BillP Studios
2006-11-22	19:45 d--------	C:\Documents and Settings\Owner\Application Data\WinPatrol
2006-11-21	22:06 d--------	C:\WINDOWS\SYSTEM32\ActiveScan
2006-11-19	20:20 d--------	C:\WINDOWS\SYSTEM32\Kaspersky Lab
2006-11-19	12:50	3,968	--a------	C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2006-11-19	12:50 d--------	C:\Program Files\Grisoft
2006-11-17	20:29 d--------	C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-16	16:22 d--------	C:\a0705196800f7750e2
2006-11-12	18:23 d--------	C:\Program Files\Hijackthis
2006-11-12	16:59 d--------	C:\!KillBox
2006-11-12	13:55 d--------	C:\Program Files\Windows Defender
2006-11-12	11:55 d--------	C:\Program Files\Spyware Doctor
2006-11-07	21:03	6,049,280	---------	C:\WINDOWS\SYSTEM32\ieframe.dll
2006-11-07	21:03	50,688	---------	C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-11-07	21:03	458,752	---------	C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-11-07	21:03	180,736	---------	C:\WINDOWS\SYSTEM32\ieui.dll
2006-11-07	03:26	13,312	--a------	C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-11-04	14:14	1,245,696	--a------	C:\WINDOWS\SYSTEM32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-03 20:43	--------	d-a------	C:\Program Files\Common Files
2006-12-03 20:43	--------	d--------	C:\Program Files\Common Files\Symantec Shared
2006-12-03 06:59	48768	--a------	C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-12-03 06:59	110952	--a------	C:\WINDOWS\SYSTEM32\drivers\SYMEVENT.SYS
2006-12-03 06:59	--------	d--------	C:\Program Files\Symantec
2006-12-02 19:42	--------	d--------	C:\Documents and Settings\Owner\Application Data\Symantec
2006-12-02 09:27	--------	d--------	C:\Program Files\SymNetDrv
2006-11-28 21:49	--------	d--------	C:\Program Files\Spybot - Search & Destroy
2006-11-28 18:00	--------	d--------	C:\Program Files\Real RM Converter
2006-11-28 16:37	--------	dr-------	C:\Program Files\Program Files
2006-11-28 16:07	--------	d--------	C:\Program Files\Java
2006-11-24 22:42	--------	d---s----	C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-24 22:24	--------	d--------	C:\Program Files\Internet Explorer
2006-11-24 20:49	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-11-22 07:05	--------	d--------	C:\Program Files\WinZip
2006-11-21 23:19	--------	d--------	C:\Program Files\Google
2006-11-21 23:19	--------	d--------	C:\Program Files\FinePixViewer
2006-11-21 21:58	--------	d--------	C:\Documents and Settings\Owner\Application Data\Identities
2006-11-21 21:27	--------	d--------	C:\Program Files\MSN
2006-11-17 20:29	--------	d--------	C:\Program Files\Lavasoft
2006-11-12 13:55	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-11-12 12:45	--------	d--------	C:\Program Files\WeiserWare
2006-11-07 21:03	413696	--a------	C:\WINDOWS\SYSTEM32\vbscript.dll
2006-11-07 21:03	231424	--a------	C:\WINDOWS\SYSTEM32\webcheck.dll
2006-11-07 21:03	156160	--a------	C:\WINDOWS\SYSTEM32\msls31.dll
2006-11-07 03:27	382976	--a------	C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-11-07 03:27	229376	--a------	C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-11-07 03:26	71680	--a------	C:\WINDOWS\SYSTEM32\admparse.dll
2006-11-07 03:26	55296	--a------	C:\WINDOWS\SYSTEM32\iesetup.dll
2006-11-07 03:26	54784	--a------	C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-11-07 03:26	43008	--a------	C:\WINDOWS\SYSTEM32\iernonce.dll
2006-11-07 03:26	152064	--a------	C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-11-07 03:26	123904	--a------	C:\WINDOWS\SYSTEM32\advpack.dll
2006-11-07 03:25	161792	--a------	C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-17 12:06	78336	--a------	C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 12:05	40960	--a------	C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 12:05	206336	---------	C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 12:05	105984	--a------	C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 12:04	101376	--a------	C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 12:03	17408	--a------	C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 11:58	61952	---------	C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 11:58	12288	---------	C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 11:57	36352	--a------	C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 11:57	266752	---------	C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 11:56	45568	--a------	C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 11:28	48128	--a------	C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 11:27	380928	---------	C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-13 04:35	142336	--a------	C:\WINDOWS\SYSTEM32\nwprovau.dll
2006-09-12 21:01	1084416	--a------	C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 16:43	22752	--a------	C:\WINDOWS\SYSTEM32\spupdsvc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\AHEADN~1\\Ahead\\data\\Xtras\\mssysmgr.exe"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"USB"="C:\\WINDOWS\\system32\\usb.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"mmtask"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ZingSpooler"="C:\\Program Files\\Easy Upload Tools\\Drivers\\Spooler\\ZingSpooler.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\system32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\system32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCActiveMenu"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\ActiveMenu\\DDCActiveMenu.exe\" -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DDCMan"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\DDC\\DDCManager\\DDCMan.exe\" -Background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3tray2"
"hkey"="HKLM"
"command"="S3tray2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AutoStarterR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

Completion time: 06-12-03 21:15:44.07
C:\ComboFix.txt ... 06-12-03 21:15
C:\ComboFix2.txt ... 06-11-24 20:32


----------



## kdd9 (Mar 25, 2005)

I see that Windows Defender and AVG Anti-Spyware are running once again.
They may be blocking the changes that _you_ are trying to make to your home page.


* Open Windows Defender
* Click *Tools*
* Click *General Settings*
* Scroll down to *Real Time Protection Options*
* _Un_check *Turn on Real Time Protection (recommended)*
* After you uncheck this, click on the *Save* button
* Close Windows Defender

Also:

Right-click the AVG icon in the System Tray with the S on it.
If there is a check mark by Resident Shield, click on it to remove the check.
The icon should be gray now instead of mulit-colored.

And:
[1]
Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program. 
[2]
Click *Options*. 
If you see a menu, click *Norton AntiVirus*.
[3]
In the left pane, click *Script Blocking*. 
[4]
In the right pane, uncheck *Enable Script Blocking (recommended)*. 
[5]
Click *OK*.

Then try to reset your home page again and see if it works now even after a reboot.

You might also try changing the home page from Safe Mode if that doesn't work.
It doesn't look like it is malware resetting the home page at this point so if it is stuck on MSN it may take some digging in the registry to find the cause or you can choose to let it be.
You have done a good job, by the way, of following the directions, performing the actions, and getting the pc cleaned up.








The logs look clean. Are you still experiencing anything strange after trying the above?


----------



## juleski32 (Apr 25, 2004)

I think all is well in Seattle once again. Thank you so very much for all of your help. My husband will be getting a junker computer for Christmas so he could visit all those less-than-desirable websites that he wants, without fear of retribution from me (as far as computer viruses go anyways). 

Thanks again, Juleski32


----------



## kdd9 (Mar 25, 2005)

No problem. I was glad to help.

Now that the system is clean you should flush the System Restore points:
Doing this will remove all your restore points, and any infections that might be hanging in there.

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives".
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.

After you have restarted, turn System Restore back on:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.
Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.

Now you can rehide Windows sensitive files. This isn't mandatory but it is a good precautionary step, especially if others use the pc.
To rehide Windows sensitive files:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. _un_check the checkbox labeled "Display the contents of system folders".
6. Under the Hidden files and folders section _de_select the radio button labeled "Show hidden files and folders".
7. Put a checkmark in the checkbox labeled "Hide file extensions for known file types".
8. Put a checkmark in the checkbox labeled "Hide protected operating system files".
9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now the sensitive files are hidden once again and not vulnerable to accidental deletion.

You can delete these programs and their shortcuts now:

SmitfraudFix
Combofix.exe
Killbox.exe
fix.reg
FixWareout
Blacklight (blbeta.exe)

Then you can re-enable the protection for Norton Script Blocking, AVG Antispyware, and Windows Defender again by reversing what you did to disable them.

Here are some additional steps you can take to help prevent future infection:

* Keep the Windows Updates current. You can either set XP to update them automatically or check for them yourself at least once a month. Most of these updates address security issues.

* Keep your antivirus program up to date. Again, you can set the "Live Update" to run automatically or check for them youself at least once a week.

* SpywareBlaster is another very good program that blocks a great deal of malware from getting on to you system and is available at no cost from here. It can also configure your Internet Explorer settings for optimum security.
And while you are there, you might also consider SpywareGuard for real-time protection.

* WinPatrol,available here will notify you whenever a program tries to place itself on your autostartup list and will allow you to deny it from starting up with each reboot if you wish. It will also alert you of other attempted changes to your system.

* You might also consider using an alternate browser such as Mozilla Firefox or Opera as Internet Explorer is heavily targeted by malware because it is so widly used.

* Some good, educational computer security reading can be found in Tony Klein's famous article, _How did I get infected in the first place?_

If you feel that this issue has been resolved you can mark the thread "Solved" if you wish by clicking on the "Thread Tools" button near the top of the page and selecting "Mark Thread Solved".

Happy Holidays!!


----------



## juleski32 (Apr 25, 2004)

Restore point created and all files are hidden. Will be trying out Mozilla as well as getting some additional Spyware protection. 

A million thanks to you! Outstanding advice and instructions.
Juleski32


----------

