# Solved: trojan.bho.NameShifter.Y



## stillwater (Jul 6, 2005)

My browser is being hijacked, and redirected to spyware and anti-virus sites. My Favorites in IE is being filled with porn sites, and porn pop-ups are invading.

Using Windows 2000 Professional. Have run Spybot Search and Destroy, Ad Aware, and Microsoft AntiSpyware (beta) numerous times, to no avail. trojan.bho.nameshifter.Y reappears every time, with multiple "signatures" (whatever that means).

A recent log from Ad Aware is reproduced below, in case that helps.

Any help is greatly appreciated. Help in relatively plain english is particularly valuable, as I am not an I.T. guy

********

ProductVersion : 1, 3, 1, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : Battery backup management service
InternalName : PowerChute
LegalCopyright : Copyright © 2003
OriginalFilename : PowerChute
Comments : Battery backup management service

#:10 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 536
ThreadCreationTime : 7-6-2005 3:49:33 AM
BasePriority : Normal
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright (c) 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:11 [defwatch.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ProcessID : 556
ThreadCreationTime : 7-6-2005 3:49:33 AM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec Corporation
OriginalFilename : DefWatch.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 572
ThreadCreationTime : 7-6-2005 3:49:33 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:13 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 600
ThreadCreationTime : 7-6-2005 3:49:35 AM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:14 [rtvscan.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ProcessID : 668
ThreadCreationTime : 7-6-2005 3:49:39 AM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec Corporation 1991-2002

#:15 [pppoeservice.exe]
FilePath : C:\PROGRA~1\EFFICI~1\ENTERN~1\app\
ProcessID : 716
ThreadCreationTime : 7-6-2005 3:49:40 AM
BasePriority : Normal

#:16 [regsvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 748
ThreadCreationTime : 7-6-2005 3:49:42 AM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:17 [mstask.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 7-6-2005 3:49:42 AM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:18 [snmp.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 816
ThreadCreationTime : 7-6-2005 3:49:43 AM
BasePriority : Normal
FileVersion : 5.00.2195.6605
ProductVersion : 5.00.2195.6605
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : snmp.exe

#:19 [stisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 864
ThreadCreationTime : 7-6-2005 3:49:43 AM
BasePriority : Normal
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright (C) Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE

#:20 [winmgmt.exe]
FilePath : C:\WINDOWS\System32\WBEM\
ProcessID : 908
ThreadCreationTime : 7-6-2005 3:49:43 AM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:21 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 920
ThreadCreationTime : 7-6-2005 3:49:44 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1124
ThreadCreationTime : 7-6-2005 3:49:54 AM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:23 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 1380
ThreadCreationTime : 7-6-2005 3:50:16 AM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec Corporation 1991-2002

#:24 [ezsp_px.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1364
ThreadCreationTime : 7-6-2005 3:50:16 AM
BasePriority : Normal

#:25 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 1384
ThreadCreationTime : 7-6-2005 3:50:17 AM
BasePriority : Normal
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
ProductName : Yahoo!, Inc. YBrwIcon
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
LegalCopyright : Copyright © 2003
OriginalFilename : YBrwIcon.exe

#:26 [stopzilla.exe]
FilePath : C:\Program Files\STOPzilla!\
ProcessID : 1416
ThreadCreationTime : 7-6-2005 3:50:17 AM
BasePriority : Normal
FileVersion : 3, 2, 5, 2
ProductVersion : 3, 2, 5, 2
ProductName : STOPzilla! Application
CompanyName : International Software Systems Solutions
FileDescription : STOPzilla! Application
InternalName : Stopzilla
LegalCopyright : Copyright (C) ISSS 2002
OriginalFilename : Stopzilla.EXE

#:27 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ProcessID : 608
ThreadCreationTime : 7-6-2005 3:50:20 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 42
ProductVersion : 2, 0, 0, 42
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager

#:28 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1428
ThreadCreationTime : 7-6-2005 3:50:21 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:29 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_01\bin\
ProcessID : 1436
ThreadCreationTime : 7-6-2005 3:50:23 AM
BasePriority : Normal

#:30 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ProcessID : 1444
ThreadCreationTime : 7-6-2005 3:50:23 AM
BasePriority : Normal
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
ProductName : YCommon Exe Module
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
LegalCopyright : Copyright 2003 Yahoo! Inc.
OriginalFilename : YCommon.EXE

#:31 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1516
ThreadCreationTime : 7-6-2005 3:50:27 AM
BasePriority : Idle
FileVersion : 1.00.0614
ProductVersion : 1.00.0614
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:32 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1556
ThreadCreationTime : 7-6-2005 3:50:28 AM
BasePriority : Normal
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
LegalCopyright : Copyright (C) Microsoft Corporation. 1981-2001
OriginalFilename : CICLOAD.EXE

#:33 [hookdump.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1560
ThreadCreationTime : 7-6-2005 3:50:29 AM
BasePriority : Normal

#:34 [hpobnz08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 1604
ThreadCreationTime : 7-6-2005 3:50:33 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOBNZ08
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOBNZ08.EXE
Comments : HP OfficeJet <Banzai> Series COM Device Objects

#:35 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1620
ThreadCreationTime : 7-6-2005 3:50:35 AM
BasePriority : Normal
FileVersion : 1.00.0614
ProductVersion : 1.00.0614
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:36 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1264
ThreadCreationTime : 7-6-2005 3:51:20 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:37 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 340
ThreadCreationTime : 7-6-2005 3:51:24 AM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:38 [hpzipm12.exe]
FilePath  : C:\WINDOWS\system32\
ProcessID : 1100
ThreadCreationTime : 7-6-2005 3:51:43 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\DOCUME~1\WILCOX~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 1

MRU List Object Recognized!
Location: : C:\Documents and Settings\Wilcox family\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1644491937-1677128483-842925246-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_zesoft

CoolWebSearch Object Recognized!
Type : RegValue
Data : 
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment : 
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 15

8:56:04 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:57.552
Objects scanned:52033
Objects identified:12
Objects ignored:0
New critical objects:12


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Please do this. *Click here* to download HijackThis.

Close all open windows and open HijackThis. Click Scan. When the scan is finished, the scan button will change to Save Log. Click on Save Log and then save it to Notepad. Click on Edit  Select all  copy and then paste into the thread.

*DO NOT FIX ANYTHING YET*, most items that appear in the log are harmless or even needed.


----------



## stillwater (Jul 6, 2005)

Thanks. HijackThis log inserted below.
Access to my browser has now been blocked, as has access to Windows Explorer. Things seem to be getting worse. I have moved to another computer to send this to you.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:02 PM, on 7/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\d3cx.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\system32\d3ir.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Wilcox family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Stillwater Sciences
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {A6AA43D9-2C16-F473-3B91-5C6B402550B5} - C:\WINDOWS\system32\apirp32.dll
O2 - BHO: Class - {D482621F-1486-6CD2-072D-057E621DEB3E} - C:\WINDOWS\system32\sdkko32.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: Class - {F601318D-D7AF-5E93-FC5B-02C0A95719F0} - C:\WINDOWS\apiad32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [3Fnh32l] mf3tl.exe
O4 - HKLM\..\Run: [AutoLoader3s4H1MYjOZXW] "C:\WINDOWS\system32\mf3tl.exe" 
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [d3cx.exe] C:\WINDOWS\d3cx.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Io4nRSJpV] mim_mtf.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.solitaire.com/download/solitaire.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E82CC302-5A7D-4C53-A629-41A62E38C5F2}: NameServer = 63.203.35.55,198.6.1.122
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\system32\RampartSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*WildTangent (unless you absolutely need it to play games)
Viewpoint Manager
AWS (WeatherBug)*

You will need to disable Microsoft AntiSpyware as it will interfere with the fix.

Open *Microsoft AntiSpyware.*

Click on *Tools*, *Settings*. In the left pane, click on *Real-time Protection*.
Under *Startup Options* uncheck *Enable the Microsoft AntiSpyware Security Agents on startup (recommended)*.

Under *Real-time spyware threat protection* uncheck *Enable real-time spyware threat protection (recommended)*.

After you uncheck these, click on the *Save* button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select *Shutdown Microsoft AntiSpyware*.

You will need to download the following tools and have them ready to run. *Do not* run any of them until instructed to do so:

*Click here* to download cwsserviceremove.zip and unzip it to your desktop.

*Click here* to download and install CCleaner.

*Click here* to download Killbox and save it to your desktop.

*Click here* to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the *Update Button* then click *Check for Update* and download the updates and then click *Exit* because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

Download the trial version of Ewido Security Suite *here*.
Install Ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch Ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

Now go ahead and set your computer to show hidden files like so:

Go to *Start*  *Search* and under *More advanced search options*, make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders. *

Next, click on *My Computer*, Go to *Tools*  *Folder Options*. Click on the *View* tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders. * Click *Apply* and then *OK. *

*After you have downloaded all the above tools, sign off the Internet and remain offline until this procedure is complete.* Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Restart to safe mode now and perform the following steps in safe mode:

*How to boot to safe mode*

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have its contents added to the registry.

Run HijackThis and put a check by these entries:

*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fyhac.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {A6AA43D9-2C16-F473-3B91-5C6B402550B5} - C:\WINDOWS\system32\apirp32.dll

O2 - BHO: Class - {D482621F-1486-6CD2-072D-057E621DEB3E} - C:\WINDOWS\system32\sdkko32.dll

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O2 - BHO: Class - {F601318D-D7AF-5E93-FC5B-02C0A95719F0} - C:\WINDOWS\apiad32.dll

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [3Fnh32l] mf3tl.exe

O4 - HKLM\..\Run: [AutoLoader3s4H1MYjOZXW] 
"C:\WINDOWS\system32\mf3tl.exe"

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

O4 - HKLM\..\Run: [d3cx.exe] C:\WINDOWS\d3cx.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [Io4nRSJpV] mim_mtf.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O15 - Trusted Zone: *.morwillsearch.com

*

Once youve checked all of the above entries, click the *Fix Checked* button.

Exit Hijack This.

Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the *Full Path of File to Delete* box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the *Paste Full Path of File to Delete* box.

*
C:\WINDOWS\system32\fyhac.dll/sp

C:\WINDOWS\system32\apirp32.dll

C:\WINDOWS\system32\sdkko32.dll

O2 - BHO: Class - {F601318D-D7AF-5E93-FC5B-02C0A95719F0} - C:\WINDOWS\apiad32.dll

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\mf3tl.exe

C:\WINDOWS\system32\mf3tl.exe

C:\WINDOWS\d3cx.exe

C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
mim_mtf.exe

C:\WINDOWS\system32\hookdump.exe
*

*Note: * It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure not to miss any.

Exit the Killbox.

Next run *AboutBuster*. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Run *CWShredder*. Just click on the cwshredder.exe then click *Fix* (Not *Scan only*) and let it do its thing.

Start Ccleaner and click *Run Cleaner*

Go to *Control Panel*  *Internet Options*. Click on the *Programs* tab then click the *Reset Web Settings* button. Click *Apply* then *OK. *

* Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop.

Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Now, restart back into Windows normally and do the following: *

Turn off System Restore:

On the Desktop, right-click*My Computer. *

Click *Properties*.

Click the *System Restore tab*.

Check *Turn off System Restore*.

Click *Apply*, and then click *OK. *

Restart your computer.

*Click here* and do an on-line virus scan.

Be sure and put a check in the box by *Auto Clean* before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

 *Click here* and download *The Hoster*. UnZip the file and press *Restore Original Hosts* and press *OK*. Exit Program.

If you have Spybot S&D installed you will also need to replace one file. *Click here* and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. Find shell.dll and right click on it. Choose Copy from the menu. Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go *here* and download control.exe per the instructions at the site.

*IMPORTANT!: * Please check your *ActiveX* security settings. They may have been changed by this CWS variant to allow ALL *ActiveX*!! Reset your ActiveX security settings like so... Go to Internet Options - Security - Internet, press 'default level', then OK. Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and unsigned ActiveX 
controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Reboot and post another Hijack This log please.


----------



## MFDnNC (Sep 7, 2004)

Think Cookie left out the CWS Shredder link

CWShredder http://www.intermute.com/products/cwshredder.html


----------



## Cookiegal (Aug 27, 2003)

Whoops! Thanks Mike.


----------



## MFDnNC (Sep 7, 2004)

Cookiegal said:


> Whoops! Thanks Mike.


 :up: :up:


----------



## stillwater (Jul 6, 2005)

Thanks so much. My internet access has now crashed. Even another computer plugged into the router cannot access the internet any more. I have downloaded all the files you specified, and will transfer them to the infected machine. Hopefully running them will bring internet access back up before I get to the instruction about the "online" scan...although I am not confident of that, given neither computer can get online...


----------



## Cookiegal (Aug 27, 2003)

This may restore the Internet connection. It will fit onto a floppy.

First *Click here* to download LspFix.

Run LspFix and then click Finish. *(Don't do anything else).*


----------



## stillwater (Jul 6, 2005)

I got the Internet connection working again. The password in the router had to be changed (I don't know if the bugs did it, or the ISP shut it down). I went back into your instructions, and repeated the Ewido scan (after being able to update it) and the online scan.

Items that differed from your instructions: 
1) WildTangent and AWS (Weatherbug) did not show up to be removed.
2) Under the Start Search and Advanced Search options. Those don't seem to show up with my Operating System.
3) HijackThis didn't find all the entries you indicated, but I checked whichever ones did, or that were very similar.
4) not all the buttons in Ewido appear readable in Safe Mode, but I figured out which ones to click.
5) After Windows restart, there was no System Restore Tab to select and turn off System Restore.
6) I could not find any Auto Clean in the online virus scan. I had it fix the 4 adware items it found.
7) The Hoster would not allow the file to be written. It said to check file permissions.

System seems to be much improved. No pop-ups or redirects thus far, and the offending icon is gone from the bar at the bottom of the screen.

HighjackThis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 5:13:26 PM, on 7/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Wilcox family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Stillwater Sciences
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.solitaire.com/download/solitaire.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E82CC302-5A7D-4C53-A629-41A62E38C5F2}: NameServer = 63.203.35.55,198.6.1.122
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\system32\RampartSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Sorry, the part of the instructions posted for unhiding files and regarding system restore were for XP, no W2K.

Rescan and have Hijack This fix this entry:

*O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)*

Is everything running fine now?


----------



## stillwater (Jul 6, 2005)

Ran HighJackThis and tried to to fix a couple of times. Rebooted. It is still there when I do another scan.
Otherwise things seem to be running normally.

Is the list of stuff HijackThis pulls up a place to be editing out stuff I don't want to load on start-up? For example, is there any reason to have QuickTime and Adobe stuff loading, or should I delete those as well?


----------



## Cookiegal (Aug 27, 2003)

That entry is not bad, but its file is missing. It belongs to Stop-Zilla. You could try to remove it with Hijack this in safe mode.

It's best to remove things from start-up via the msconfig utility. To access that, click on start-run - type in *msconfig* then click on the start-up tab and remove the check marks there. You can research those entries at the following links to see if they need to run at start-up:

http://castlecops.com/StartupList.html
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.windowsstartup.com/wso/index.php

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## stillwater (Jul 6, 2005)

Thanks, Cookie!
I was able to delete that last file with HijackThis in safe mode.
I cleared out all the temp files.
MSCONFIG could not be found. I am running Windows 2000.
There is no System Restore feature under Properties.
I have downloaded the other Spyware protection programs. Thanks.
After deleting all the temp files in safe mode, I rebooted and instead of getting the desktop, I got my internet home page instead. How should I correct this?


----------



## Cookiegal (Aug 27, 2003)

Try this:

Go to Control Panel - Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then 
Apply and OK.


----------



## stillwater (Jul 6, 2005)

Thanks.
This line keeps coming back in the HijackThis scan:
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
Thoughts?

Also, is there any way to conduct the MSCONFIG and System Restore tasks you specified in Windows 2000?


----------



## Cookiegal (Aug 27, 2003)

That line is not malicious, it belongs to StopZilla but the file is missing. If you like, we can edit it out of the registry with Registrar Lite:

http://www.resplendence.com/download/reglite.exe

Put it in its own folder.

Copy and paste the follow text into the address bar, then hit 'Go':

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*

In the pane on the right are the values associated with that key. 
We want to remove this one -> {E3215F20-3212-11D6-9F8B-00D0B743919D

Right click on it, and select delete. 
If you get a confirmation question, respond OK then close out the program.


----------



## Cookiegal (Aug 27, 2003)

You can download msconfig onto a W2K machine but I don't know if you can add system restore. Some Google searches may be helpful there.


----------



## stillwater (Jul 6, 2005)

Thanks so much, Cookiegal. Problem solved.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. :up:


----------

