# Solved: Please review HJT



## cwelaw (Jul 30, 2004)

Would you please review the HJT log attached (too big to put in here) and assist in getting this machine back to normal! Flrman did a great job for me a while back on my system. Thank you.


----------



## Cookiegal (Aug 27, 2003)

Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe and double click on the spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.

If it doesn't open then go to c:\spywad and double click on the remove spywad.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

*C:\WINDOWS\System32\Tmk.exe *

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Finally, it will Run hijackthis so that you can remove the orphaned run entries.

If hijackthis doesn't start, run it manually.

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

O4 - HKLM\..\Run: [Aan] C:\WINDOWS\System32\Tmk.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Eut] C:\WINDOWS\System32\Atj.exe
O4 - HKLM\..\Run: [Vhv] C:\WINDOWS\Pke.exe
O4 - HKLM\..\Run: [Hlk] C:\WINDOWS\System32\Chf.exe
O4 - HKLM\..\Run: [Irp] C:\WINDOWS\Asf.exe
O4 - HKLM\..\Run: [Ork] C:\WINDOWS\Fdd.exe
O4 - HKLM\..\Run: [Mli] C:\WINDOWS\Qkf.exe
O4 - HKLM\..\Run: [Tav] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Rec] C:\WINDOWS\Rsl.exe
O4 - HKLM\..\Run: [Jeb] C:\WINDOWS\System32\Fds.exe
O4 - HKLM\..\Run: [Qjq] C:\WINDOWS\System32\Oha.exe
O4 - HKLM\..\Run: [Sag] C:\WINDOWS\Oel.exe
O4 - HKLM\..\Run: [Pnc] C:\WINDOWS\Sok.exe
O4 - HKLM\..\Run: [Jpv] C:\WINDOWS\Ilg.exe
O4 - HKLM\..\Run: [Kor] C:\WINDOWS\System32\Omg.exe
O4 - HKLM\..\Run: [Cdo] C:\WINDOWS\System32\Kmc.exe
O4 - HKLM\..\Run: [Djg] C:\WINDOWS\System32\Edi.exe
O4 - HKLM\..\Run: [Rmg] C:\WINDOWS\System32\Pns.exe
O4 - HKLM\..\Run: [Ikl] C:\WINDOWS\Rfi.exe
O4 - HKLM\..\Run: [Lhr] C:\WINDOWS\Djf.exe
O4 - HKLM\..\Run: [Tvd] C:\WINDOWS\Nub.exe
O4 - HKLM\..\Run: [Lqp] C:\WINDOWS\System32\Qmt.exe
O4 - HKLM\..\Run: [Fbr] C:\WINDOWS\System32\Mij.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Fdp.exe
O4 - HKLM\..\Run: [Vim] C:\WINDOWS\Rff.exe
O4 - HKLM\..\Run: [Vvj] C:\WINDOWS\System32\Flu.exe
O4 - HKLM\..\Run: [Phn] C:\WINDOWS\Ajs.exe
O4 - HKLM\..\Run: [Scc] C:\WINDOWS\System32\Snt.exe
O4 - HKLM\..\Run: [Edj] C:\WINDOWS\Bra.exe
O4 - HKLM\..\Run: [Tdn] C:\WINDOWS\System32\Aeo.exe
O4 - HKLM\..\Run: [Fdv] C:\WINDOWS\Ths.exe
O4 - HKLM\..\Run: [Jcr] C:\WINDOWS\System32\Bgn.exe
O4 - HKLM\..\Run: [Ogh] C:\WINDOWS\System32\Kiv.exe
O4 - HKLM\..\Run: [Elq] C:\WINDOWS\System32\Cmi.exe
O4 - HKLM\..\Run: [Fgs] C:\WINDOWS\System32\Urp.exe
O4 - HKLM\..\Run: [Phm] C:\WINDOWS\Omq.exe
O4 - HKLM\..\Run: [Dfp] C:\WINDOWS\Ntn.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\Thr.exe
O4 - HKLM\..\Run: [Uop] C:\WINDOWS\Mbc.exe
O4 - HKLM\..\Run: [Cvk] C:\WINDOWS\System32\Uil.exe
O4 - HKLM\..\Run: [Tsc] C:\WINDOWS\Ltl.exe
O4 - HKLM\..\Run: [Ubb] C:\WINDOWS\Ijm.exe
O4 - HKLM\..\Run: [Pvh] C:\WINDOWS\Qbq.exe
O4 - HKLM\..\Run: [Atm] C:\WINDOWS\Khb.exe
O4 - HKLM\..\Run: [Prj] C:\WINDOWS\Hkp.exe
O4 - HKLM\..\Run: [Bhu] C:\WINDOWS\Dem.exe
O4 - HKLM\..\Run: [Crr] C:\WINDOWS\System32\Mgr.exe
O4 - HKLM\..\Run: [Cgl] C:\WINDOWS\System32\Amg.exe
O4 - HKLM\..\Run: [Rpj] C:\WINDOWS\Srq.exe
O4 - HKLM\..\Run: [Ejs] C:\WINDOWS\System32\Hrt.exe
O4 - HKLM\..\Run: [Fad] C:\WINDOWS\Orl.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\Jrs.exe
O4 - HKLM\..\Run: [Tne] C:\WINDOWS\Vdc.exe
O4 - HKLM\..\Run: [Mfp] C:\WINDOWS\Hta.exe
O4 - HKLM\..\Run: [Tpo] C:\WINDOWS\System32\Rtv.exe
O4 - HKLM\..\Run: [Nku] C:\WINDOWS\System32\Gdm.exe
O4 - HKLM\..\Run: [Elm] C:\WINDOWS\System32\Eiv.exe
O4 - HKLM\..\Run: [Hnl] C:\WINDOWS\System32\Mfr.exe
O4 - HKLM\..\Run: [Uin] C:\WINDOWS\Ggi.exe
O4 - HKLM\..\Run: [Mkk] C:\WINDOWS\Agu.exe
O4 - HKLM\..\Run: [Tua] C:\WINDOWS\System32\Jnk.exe
O4 - HKLM\..\Run: [Kis] C:\WINDOWS\Qdk.exe
O4 - HKLM\..\Run: [Sru] C:\WINDOWS\Ggj.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Des.exe
O4 - HKLM\..\Run: [Ccn] C:\WINDOWS\Qbp.exe
O4 - HKLM\..\Run: [Huq] C:\WINDOWS\System32\Hcl.exe
O4 - HKLM\..\Run: [Ott] C:\WINDOWS\Rdg.exe
O4 - HKLM\..\Run: [Peu] C:\WINDOWS\System32\Gdl.exe
O4 - HKLM\..\Run: [Hej] C:\WINDOWS\Prj.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\Tac.exe
O4 - HKLM\..\Run: [Hic] C:\WINDOWS\System32\Ujo.exe
O4 - HKLM\..\Run: [Hma] C:\WINDOWS\System32\Upl.exe
O4 - HKLM\..\Run: [Udf] C:\WINDOWS\System32\Ppm.exe
O4 - HKLM\..\Run: [Ess] C:\WINDOWS\System32\Kvq.exe
O4 - HKLM\..\Run: [Dvq] C:\WINDOWS\System32\Idi.exe
O4 - HKLM\..\Run: [Mvj] C:\WINDOWS\System32\Vqc.exe
O4 - HKLM\..\Run: [Pof] C:\WINDOWS\System32\Jks.exe
O4 - HKLM\..\Run: [Lqi] C:\WINDOWS\Acg.exe
O4 - HKLM\..\Run: [Feu] C:\WINDOWS\Eik.exe
O4 - HKLM\..\Run: [Tmt] C:\WINDOWS\System32\Jen.exe
O4 - HKLM\..\Run: [Irs] C:\WINDOWS\Icu.exe
O4 - HKLM\..\Run: [Dsp] C:\WINDOWS\System32\Ecc.exe
O4 - HKLM\..\Run: [Lai] C:\WINDOWS\System32\Lnl.exe
O4 - HKLM\..\Run: [Dvu] C:\WINDOWS\System32\Fbk.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Kuo.exe
O4 - HKLM\..\Run: [All] C:\WINDOWS\System32\Lod.exe
O4 - HKLM\..\Run: [Ict] C:\WINDOWS\System32\Hrv.exe
O4 - HKLM\..\Run: [Ofp] C:\WINDOWS\Cqj.exe
O4 - HKLM\..\Run: [Gsq] C:\WINDOWS\System32\Erm.exe
O4 - HKLM\..\Run: [Kqj] C:\WINDOWS\System32\Fmt.exe
O4 - HKLM\..\Run: [Mrt] C:\WINDOWS\System32\Nmo.exe
O4 - HKLM\..\Run: [Iql] C:\WINDOWS\System32\Skl.exe
O4 - HKLM\..\Run: [Jae] C:\WINDOWS\System32\Cpq.exe
O4 - HKLM\..\Run: [Knt] C:\WINDOWS\Fjf.exe
O4 - HKLM\..\Run: [Ufa] C:\WINDOWS\Rbm.exe
O4 - HKLM\..\Run: [Frp] C:\WINDOWS\System32\Hbi.exe
O4 - HKLM\..\Run: [Ksv] C:\WINDOWS\System32\Kum.exe
O4 - HKLM\..\Run: [Gdp] C:\WINDOWS\Jpr.exe
O4 - HKLM\..\Run: [Klb] C:\WINDOWS\Jkd.exe
O4 - HKLM\..\Run: [Ddg] C:\WINDOWS\Bbp.exe
O4 - HKLM\..\Run: [Jck] C:\WINDOWS\Bfj.exe
O4 - HKLM\..\Run: [Idk] C:\WINDOWS\System32\Eju.exe
O4 - HKLM\..\Run: [Btr] C:\WINDOWS\Ndc.exe
O4 - HKLM\..\Run: [Rsj] C:\WINDOWS\System32\Pui.exe
O4 - HKLM\..\Run: [Mes] C:\WINDOWS\System32\Tqe.exe
O4 - HKLM\..\Run: [Sad] C:\WINDOWS\Grf.exe
O4 - HKLM\..\Run: [Kem] C:\WINDOWS\Tvq.exe
O4 - HKLM\..\Run: [Tfg] C:\WINDOWS\System32\Tji.exe
O4 - HKLM\..\Run: [Bpe] C:\WINDOWS\System32\Qna.exe
O4 - HKLM\..\Run: [Rum] C:\WINDOWS\Uoq.exe
O4 - HKLM\..\Run: [Fju] C:\WINDOWS\Poc.exe
O4 - HKLM\..\Run: [Eqn] C:\WINDOWS\Nak.exe
O4 - HKLM\..\Run: [Cla] C:\WINDOWS\Ibh.exe
O4 - HKLM\..\Run: [Igh] C:\WINDOWS\Ujq.exe
O4 - HKLM\..\Run: [Mlm] C:\WINDOWS\Aii.exe
O4 - HKLM\..\Run: [Qvk] C:\WINDOWS\Vpo.exe
O4 - HKLM\..\Run: [Ikq] C:\WINDOWS\Maf.exe
O4 - HKLM\..\Run: [Oue] C:\WINDOWS\System32\Ibg.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\Hvc.exe
O4 - HKLM\..\Run: [Mic] C:\WINDOWS\Hfh.exe
O4 - HKLM\..\Run: [Mfq] C:\WINDOWS\Pfi.exe
O4 - HKLM\..\Run: [Ejh] C:\WINDOWS\System32\Mmp.exe
O4 - HKLM\..\Run: [Kdt] C:\WINDOWS\System32\Ppq.exe
O4 - HKLM\..\Run: [Mea] C:\WINDOWS\System32\Gnm.exe
O4 - HKLM\..\Run: [Ubj] C:\WINDOWS\Dpb.exe
O4 - HKLM\..\Run: [Shd] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Rhd] C:\WINDOWS\System32\Abh.exe
O4 - HKLM\..\Run: [Ckj] C:\WINDOWS\System32\Eta.exe
O4 - HKLM\..\Run: [Ein] C:\WINDOWS\System32\Qrd.exe
O4 - HKLM\..\Run: [Idq] C:\WINDOWS\System32\Hsk.exe
O4 - HKLM\..\Run: [Eil] C:\WINDOWS\Urp.exe
O4 - HKLM\..\Run: [Scj] C:\WINDOWS\Lfn.exe
O4 - HKLM\..\Run: [Lcu] C:\WINDOWS\System32\Ggv.exe
O4 - HKLM\..\Run: [Vga] C:\WINDOWS\Iia.exe
O4 - HKLM\..\Run: [Ito] C:\WINDOWS\System32\Qve.exe
O4 - HKLM\..\Run: [Reh] C:\WINDOWS\System32\Ffm.exe
O4 - HKLM\..\Run: [Fgd] C:\WINDOWS\Smo.exe
O4 - HKLM\..\Run: [Spk] C:\WINDOWS\System32\Hjh.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Jok.exe
O4 - HKLM\..\Run: [Fne] C:\WINDOWS\Pqc.exe
O4 - HKLM\..\Run: [Sgr] C:\WINDOWS\Ivj.exe
O4 - HKLM\..\Run: [Vgp] C:\WINDOWS\Eog.exe
O4 - HKLM\..\Run: [Ekh] C:\WINDOWS\System32\Kng.exe
O4 - HKLM\..\Run: [Sgh] C:\WINDOWS\System32\Gog.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Gul.exe
O4 - HKLM\..\Run: [Bda] C:\WINDOWS\Ljv.exe
O4 - HKLM\..\Run: [Hpq] C:\WINDOWS\System32\Hvl.exe
O4 - HKLM\..\Run: [Bue] C:\WINDOWS\Smg.exe
O4 - HKLM\..\Run: [Cgm] C:\WINDOWS\System32\Kln.exe
O4 - HKLM\..\Run: [Pbr] C:\WINDOWS\Cvf.exe
O4 - HKLM\..\Run: [Agc] C:\WINDOWS\System32\Efg.exe
O4 - HKLM\..\Run: [Kae] C:\WINDOWS\System32\Gde.exe
O4 - HKLM\..\Run: [Lhk] C:\WINDOWS\System32\Dqb.exe
O4 - HKLM\..\Run: [Hem] C:\WINDOWS\Tmc.exe
O4 - HKLM\..\Run: [Hfh] C:\WINDOWS\System32\Ffc.exe
O4 - HKLM\..\Run: [Vve] C:\WINDOWS\Kcm.exe
O4 - HKLM\..\Run: [Mfg] C:\WINDOWS\System32\Ist.exe
O4 - HKLM\..\Run: [Dsl] C:\WINDOWS\System32\Nsl.exe
O4 - HKLM\..\Run: [Mgk] C:\WINDOWS\Kio.exe
O4 - HKLM\..\Run: [Kmr] C:\WINDOWS\Tta.exe
O4 - HKLM\..\Run: [Qbe] C:\WINDOWS\System32\Ocp.exe
O4 - HKLM\..\Run: [Jec] C:\WINDOWS\System32\Ria.exe
O4 - HKLM\..\Run: [Mjs] C:\WINDOWS\System32\Acl.exe
O4 - HKLM\..\Run: [Qsh] C:\WINDOWS\System32\Phg.exe
O4 - HKLM\..\Run: [Fdf] C:\WINDOWS\System32\Thb.exe
O4 - HKLM\..\Run: [Sgg] C:\WINDOWS\Qaj.exe
O4 - HKLM\..\Run: [Kpl] C:\WINDOWS\Sfv.exe
O4 - HKLM\..\Run: [Jfd] C:\WINDOWS\Cfk.exe
O4 - HKLM\..\Run: [Hbt] C:\WINDOWS\System32\Ovf.exe
O4 - HKLM\..\Run: [Cdh] C:\WINDOWS\Oqb.exe
O4 - HKLM\..\Run: [Qap] C:\WINDOWS\Dom.exe
O4 - HKLM\..\Run: [Fgj] C:\WINDOWS\System32\Fvu.exe
O4 - HKLM\..\Run: [Vsl] C:\WINDOWS\Sme.exe
O4 - HKLM\..\Run: [Pnh] C:\WINDOWS\Hge.exe
O4 - HKLM\..\Run: [Ngr] C:\WINDOWS\System32\Vau.exe
O4 - HKLM\..\Run: [Mgd] C:\WINDOWS\Qrt.exe
O4 - HKLM\..\Run: [Cgb] C:\WINDOWS\Aki.exe
O4 - HKLM\..\Run: [Hfq] C:\WINDOWS\Lbi.exe
O4 - HKLM\..\Run: [Kqm] C:\WINDOWS\System32\Ccv.exe
O4 - HKLM\..\Run: [Fab] C:\WINDOWS\System32\Irg.exe
O4 - HKLM\..\Run: [Htt] C:\WINDOWS\System32\Vbe.exe
O4 - HKLM\..\Run: [Rqq] C:\WINDOWS\System32\Ota.exe
O4 - HKLM\..\Run: [Qec] C:\WINDOWS\System32\Hfb.exe
O4 - HKLM\..\Run: [Bal] C:\WINDOWS\System32\Kgo.exe
O4 - HKLM\..\Run: [Qlr] C:\WINDOWS\System32\Vsb.exe
O4 - HKLM\..\Run: [Uos] C:\WINDOWS\System32\Tlh.exe
O4 - HKLM\..\Run: [Oam] C:\WINDOWS\Ovv.exe
O4 - HKLM\..\Run: [Fie] C:\WINDOWS\Pqp.exe
O4 - HKLM\..\Run: [Lgl] C:\WINDOWS\Vdb.exe
O4 - HKLM\..\Run: [Kfm] C:\WINDOWS\System32\Vih.exe
O4 - HKLM\..\Run: [Aii] C:\WINDOWS\Ckh.exe
O4 - HKLM\..\Run: [Utr] C:\WINDOWS\Icl.exe
O4 - HKLM\..\Run: [Hkp] C:\WINDOWS\Tfl.exe
O4 - HKLM\..\Run: [Vgk] C:\WINDOWS\Nis.exe
O4 - HKLM\..\Run: [Bbr] C:\WINDOWS\System32\Nld.exe
O4 - HKLM\..\Run: [Occ] C:\WINDOWS\Hjs.exe
O4 - HKLM\..\Run: [Del] C:\WINDOWS\System32\Qrj.exe
O4 - HKLM\..\Run: [Rmv] C:\WINDOWS\Vfh.exe
O4 - HKLM\..\Run: [Ujn] C:\WINDOWS\System32\Cap.exe
O4 - HKLM\..\Run: [Ddo] C:\WINDOWS\Ric.exe
O4 - HKLM\..\Run: [Rgr] C:\WINDOWS\Bsv.exe
O4 - HKLM\..\Run: [Gol] C:\WINDOWS\Tsq.exe
O4 - HKLM\..\Run: [Mlk] C:\WINDOWS\Pur.exe
O4 - HKLM\..\Run: [Rho] C:\WINDOWS\Uph.exe
O4 - HKLM\..\Run: [Mjg] C:\WINDOWS\System32\Gfc.exe
O4 - HKLM\..\Run: [Rnt] C:\WINDOWS\System32\Hjr.exe
O4 - HKLM\..\Run: [Qgh] C:\WINDOWS\Alh.exe
O4 - HKLM\..\Run: [Sis] C:\WINDOWS\System32\Ilp.exe
O4 - HKLM\..\Run: [Upo] C:\WINDOWS\Utf.exe
O4 - HKLM\..\Run: [Gco] C:\WINDOWS\System32\Mjb.exe
O4 - HKLM\..\Run: [Lco] C:\WINDOWS\Lao.exe
O4 - HKLM\..\Run: [Lnu] C:\WINDOWS\System32\Sqs.exe
O4 - HKLM\..\Run: [Pcl] C:\WINDOWS\System32\Uus.exe
O4 - HKLM\..\Run: [Msd] C:\WINDOWS\System32\Qcm.exe
O4 - HKLM\..\Run: [Itd] C:\WINDOWS\System32\Lok.exe
O4 - HKLM\..\Run: [Quc] C:\WINDOWS\Qbn.exe
O4 - HKLM\..\Run: [Fdr] C:\WINDOWS\System32\Nqd.exe
O4 - HKLM\..\Run: [Cec] C:\WINDOWS\System32\Qcm.exe
O4 - HKLM\..\Run: [Jaq] C:\WINDOWS\Fao.exe
O4 - HKLM\..\Run: [Vgh] C:\WINDOWS\Gvj.exe
O4 - HKLM\..\Run: [Bdh] C:\WINDOWS\System32\Qnj.exe
O4 - HKLM\..\Run: [Ini] C:\WINDOWS\System32\Jmn.exe
O4 - HKLM\..\Run: [Rng] C:\WINDOWS\System32\Rgv.exe
O4 - HKLM\..\Run: [Nln] C:\WINDOWS\System32\Qjg.exe
O4 - HKLM\..\Run: [Pgc] C:\WINDOWS\System32\Its.exe
O4 - HKLM\..\Run: [Uhj] C:\WINDOWS\System32\Uum.exe
O4 - HKLM\..\Run: [Dke] C:\WINDOWS\System32\Etd.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\System32\Iub.exe
O4 - HKLM\..\Run: [Ths] C:\WINDOWS\System32\Jdc.exe
O4 - HKLM\..\Run: [Uft] C:\WINDOWS\System32\Vju.exe
O4 - HKLM\..\Run: [Uei] C:\WINDOWS\Mgn.exe
O4 - HKLM\..\Run: [Fdm] C:\WINDOWS\Fib.exe
O4 - HKLM\..\Run: [Vvk] C:\WINDOWS\System32\Hqk.exe
O4 - HKLM\..\Run: [Abn] C:\WINDOWS\Krj.exe
O4 - HKLM\..\Run: [Npa] C:\WINDOWS\Rfm.exe
O4 - HKLM\..\Run: [Jkb] C:\WINDOWS\System32\Sah.exe
O4 - HKLM\..\Run: [Qpj] C:\WINDOWS\System32\Mbr.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Kgb.exe
O4 - HKCU\..\Run: [Aan] C:\WINDOWS\System32\Tmk.exe
O4 - HKCU\..\Run: [Eut] C:\WINDOWS\System32\Atj.exe
O4 - HKCU\..\Run: [Vhv] C:\WINDOWS\Pke.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\System32\Chf.exe
O4 - HKCU\..\Run: [Irp] C:\WINDOWS\Asf.exe
O4 - HKCU\..\Run: [Ork] C:\WINDOWS\Fdd.exe
O4 - HKCU\..\Run: [Mli] C:\WINDOWS\Qkf.exe
O4 - HKCU\..\Run: [Tav] C:\WINDOWS\System32\Lbs.exe
O4 - HKCU\..\Run: [Rec] C:\WINDOWS\Rsl.exe
O4 - HKCU\..\Run: [Jeb] C:\WINDOWS\System32\Fds.exe
O4 - HKCU\..\Run: [Qjq] C:\WINDOWS\System32\Oha.exe
O4 - HKCU\..\Run: [Sag] C:\WINDOWS\Oel.exe
O4 - HKCU\..\Run: [Pnc] C:\WINDOWS\Sok.exe
O4 - HKCU\..\Run: [Jpv] C:\WINDOWS\Ilg.exe
O4 - HKCU\..\Run: [Kor] C:\WINDOWS\System32\Omg.exe
O4 - HKCU\..\Run: [Cdo] C:\WINDOWS\System32\Kmc.exe
O4 - HKCU\..\Run: [Djg] C:\WINDOWS\System32\Edi.exe
O4 - HKCU\..\Run: [Rmg] C:\WINDOWS\System32\Pns.exe
O4 - HKCU\..\Run: [Ikl] C:\WINDOWS\Rfi.exe
O4 - HKCU\..\Run: [Lhr] C:\WINDOWS\Djf.exe
O4 - HKCU\..\Run: [Tvd] C:\WINDOWS\Nub.exe
O4 - HKCU\..\Run: [Lqp] C:\WINDOWS\System32\Qmt.exe
O4 - HKCU\..\Run: [Fbr] C:\WINDOWS\System32\Mij.exe
O4 - HKCU\..\Run: [Nqa] C:\WINDOWS\System32\Fdp.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\Rff.exe
O4 - HKCU\..\Run: [Vvj] C:\WINDOWS\System32\Flu.exe
O4 - HKCU\..\Run: [Phn] C:\WINDOWS\Ajs.exe
O4 - HKCU\..\Run: [Scc] C:\WINDOWS\System32\Snt.exe
O4 - HKCU\..\Run: [Edj] C:\WINDOWS\Bra.exe
O4 - HKCU\..\Run: [Tdn] C:\WINDOWS\System32\Aeo.exe
O4 - HKCU\..\Run: [Fdv] C:\WINDOWS\Ths.exe
O4 - HKCU\..\Run: [Jcr] C:\WINDOWS\System32\Bgn.exe
O4 - HKCU\..\Run: [Ogh] C:\WINDOWS\System32\Kiv.exe
O4 - HKCU\..\Run: [Elq] C:\WINDOWS\System32\Cmi.exe
O4 - HKCU\..\Run: [Fgs] C:\WINDOWS\System32\Urp.exe
O4 - HKCU\..\Run: [Phm] C:\WINDOWS\Omq.exe
O4 - HKCU\..\Run: [Dfp] C:\WINDOWS\Ntn.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\Thr.exe
O4 - HKCU\..\Run: [Uop] C:\WINDOWS\Mbc.exe
O4 - HKCU\..\Run: [Cvk] C:\WINDOWS\System32\Uil.exe
O4 - HKCU\..\Run: [Tsc] C:\WINDOWS\Ltl.exe
O4 - HKCU\..\Run: [Ubb] C:\WINDOWS\Ijm.exe
O4 - HKCU\..\Run: [Pvh] C:\WINDOWS\Qbq.exe
O4 - HKCU\..\Run: [Atm] C:\WINDOWS\Khb.exe
O4 - HKCU\..\Run: [Prj] C:\WINDOWS\Hkp.exe
O4 - HKCU\..\Run: [Bhu] C:\WINDOWS\Dem.exe
O4 - HKCU\..\Run: [Crr] C:\WINDOWS\System32\Mgr.exe
O4 - HKCU\..\Run: [Cgl] C:\WINDOWS\System32\Amg.exe
O4 - HKCU\..\Run: [Rpj] C:\WINDOWS\Srq.exe
O4 - HKCU\..\Run: [Ejs] C:\WINDOWS\System32\Hrt.exe
O4 - HKCU\..\Run: [Fad] C:\WINDOWS\Orl.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\Jrs.exe
O4 - HKCU\..\Run: [Tne] C:\WINDOWS\Vdc.exe
O4 - HKCU\..\Run: [Mfp] C:\WINDOWS\Hta.exe
O4 - HKCU\..\Run: [Tpo] C:\WINDOWS\System32\Rtv.exe
O4 - HKCU\..\Run: [Nku] C:\WINDOWS\System32\Gdm.exe
O4 - HKCU\..\Run: [Elm] C:\WINDOWS\System32\Eiv.exe
O4 - HKCU\..\Run: [Hnl] C:\WINDOWS\System32\Mfr.exe
O4 - HKCU\..\Run: [Uin] C:\WINDOWS\Ggi.exe
O4 - HKCU\..\Run: [Mkk] C:\WINDOWS\Agu.exe
O4 - HKCU\..\Run: [Tua] C:\WINDOWS\System32\Jnk.exe
O4 - HKCU\..\Run: [Kis] C:\WINDOWS\Qdk.exe
O4 - HKCU\..\Run: [Sru] C:\WINDOWS\Ggj.exe
O4 - HKCU\..\Run: [Dka] C:\WINDOWS\Des.exe
O4 - HKCU\..\Run: [Ccn] C:\WINDOWS\Qbp.exe
O4 - HKCU\..\Run: [Huq] C:\WINDOWS\System32\Hcl.exe
O4 - HKCU\..\Run: [Ott] C:\WINDOWS\Rdg.exe
O4 - HKCU\..\Run: [Peu] C:\WINDOWS\System32\Gdl.exe
O4 - HKCU\..\Run: [Hej] C:\WINDOWS\Prj.exe
O4 - HKCU\..\Run: [Rsa] C:\WINDOWS\Tac.exe
O4 - HKCU\..\Run: [Hic] C:\WINDOWS\System32\Ujo.exe
O4 - HKCU\..\Run: [Hma] C:\WINDOWS\System32\Upl.exe
O4 - HKCU\..\Run: [Udf] C:\WINDOWS\System32\Ppm.exe
O4 - HKCU\..\Run: [Ess] C:\WINDOWS\System32\Kvq.exe
O4 - HKCU\..\Run: [Dvq] C:\WINDOWS\System32\Idi.exe
O4 - HKCU\..\Run: [Mvj] C:\WINDOWS\System32\Vqc.exe
O4 - HKCU\..\Run: [Pof] C:\WINDOWS\System32\Jks.exe
O4 - HKCU\..\Run: [Lqi] C:\WINDOWS\Acg.exe
O4 - HKCU\..\Run: [Feu] C:\WINDOWS\Eik.exe
O4 - HKCU\..\Run: [Tmt] C:\WINDOWS\System32\Jen.exe
O4 - HKCU\..\Run: [Irs] C:\WINDOWS\Icu.exe
O4 - HKCU\..\Run: [Dsp] C:\WINDOWS\System32\Ecc.exe
O4 - HKCU\..\Run: [Lai] C:\WINDOWS\System32\Lnl.exe
O4 - HKCU\..\Run: [Dvu] C:\WINDOWS\System32\Fbk.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Kuo.exe
O4 - HKCU\..\Run: [All] C:\WINDOWS\System32\Lod.exe
O4 - HKCU\..\Run: [Ict] C:\WINDOWS\System32\Hrv.exe
O4 - HKCU\..\Run: [Ofp] C:\WINDOWS\Cqj.exe
O4 - HKCU\..\Run: [Gsq] C:\WINDOWS\System32\Erm.exe
O4 - HKCU\..\Run: [Kqj] C:\WINDOWS\System32\Fmt.exe
O4 - HKCU\..\Run: [Mrt] C:\WINDOWS\System32\Nmo.exe
O4 - HKCU\..\Run: [Iql] C:\WINDOWS\System32\Skl.exe
O4 - HKCU\..\Run: [Jae] C:\WINDOWS\System32\Cpq.exe
O4 - HKCU\..\Run: [Knt] C:\WINDOWS\Fjf.exe
O4 - HKCU\..\Run: [Ufa] C:\WINDOWS\Rbm.exe
O4 - HKCU\..\Run: [Frp] C:\WINDOWS\System32\Hbi.exe
O4 - HKCU\..\Run: [Ksv] C:\WINDOWS\System32\Kum.exe
O4 - HKCU\..\Run: [Gdp] C:\WINDOWS\Jpr.exe
O4 - HKCU\..\Run: [Klb] C:\WINDOWS\Jkd.exe
O4 - HKCU\..\Run: [Ddg] C:\WINDOWS\Bbp.exe
O4 - HKCU\..\Run: [Jck] C:\WINDOWS\Bfj.exe
O4 - HKCU\..\Run: [Idk] C:\WINDOWS\System32\Eju.exe
O4 - HKCU\..\Run: [Btr] C:\WINDOWS\Ndc.exe
O4 - HKCU\..\Run: [Rsj] C:\WINDOWS\System32\Pui.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\System32\Tqe.exe
O4 - HKCU\..\Run: [Sad] C:\WINDOWS\Grf.exe
O4 - HKCU\..\Run: [Kem] C:\WINDOWS\Tvq.exe
O4 - HKCU\..\Run: [Tfg] C:\WINDOWS\System32\Tji.exe
O4 - HKCU\..\Run: [Bpe] C:\WINDOWS\System32\Qna.exe
O4 - HKCU\..\Run: [Rum] C:\WINDOWS\Uoq.exe
O4 - HKCU\..\Run: [Fju] C:\WINDOWS\Poc.exe
O4 - HKCU\..\Run: [Eqn] C:\WINDOWS\Nak.exe
O4 - HKCU\..\Run: [Cla] C:\WINDOWS\Ibh.exe
O4 - HKCU\..\Run: [Igh] C:\WINDOWS\Ujq.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\Aii.exe
O4 - HKCU\..\Run: [Qvk] C:\WINDOWS\Vpo.exe
O4 - HKCU\..\Run: [Ikq] C:\WINDOWS\Maf.exe
O4 - HKCU\..\Run: [Oue] C:\WINDOWS\System32\Ibg.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\Hvc.exe
O4 - HKCU\..\Run: [Mic] C:\WINDOWS\Hfh.exe
O4 - HKCU\..\Run: [Mfq] C:\WINDOWS\Pfi.exe
O4 - HKCU\..\Run: [Ejh] C:\WINDOWS\System32\Mmp.exe
O4 - HKCU\..\Run: [Kdt] C:\WINDOWS\System32\Ppq.exe
O4 - HKCU\..\Run: [Mea] C:\WINDOWS\System32\Gnm.exe
O4 - HKCU\..\Run: [Ubj] C:\WINDOWS\Dpb.exe
O4 - HKCU\..\Run: [Shd] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Rhd] C:\WINDOWS\System32\Abh.exe
O4 - HKCU\..\Run: [Ckj] C:\WINDOWS\System32\Eta.exe
O4 - HKCU\..\Run: [Ein] C:\WINDOWS\System32\Qrd.exe
O4 - HKCU\..\Run: [Idq] C:\WINDOWS\System32\Hsk.exe
O4 - HKCU\..\Run: [Eil] C:\WINDOWS\Urp.exe
O4 - HKCU\..\Run: [Scj] C:\WINDOWS\Lfn.exe
O4 - HKCU\..\Run: [Lcu] C:\WINDOWS\System32\Ggv.exe
O4 - HKCU\..\Run: [Vga] C:\WINDOWS\Iia.exe
O4 - HKCU\..\Run: [Ito] C:\WINDOWS\System32\Qve.exe
O4 - HKCU\..\Run: [Reh] C:\WINDOWS\System32\Ffm.exe
O4 - HKCU\..\Run: [Fgd] C:\WINDOWS\Smo.exe
O4 - HKCU\..\Run: [Spk] C:\WINDOWS\System32\Hjh.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Jok.exe
O4 - HKCU\..\Run: [Fne] C:\WINDOWS\Pqc.exe
O4 - HKCU\..\Run: [Sgr] C:\WINDOWS\Ivj.exe
O4 - HKCU\..\Run: [Vgp] C:\WINDOWS\Eog.exe
O4 - HKCU\..\Run: [Ekh] C:\WINDOWS\System32\Kng.exe
O4 - HKCU\..\Run: [Sgh] C:\WINDOWS\System32\Gog.exe
O4 - HKCU\..\Run: [Jbf] C:\WINDOWS\System32\Gul.exe
O4 - HKCU\..\Run: [Bda] C:\WINDOWS\Ljv.exe
O4 - HKCU\..\Run: [Hpq] C:\WINDOWS\System32\Hvl.exe
O4 - HKCU\..\Run: [Bue] C:\WINDOWS\Smg.exe
O4 - HKCU\..\Run: [Cgm] C:\WINDOWS\System32\Kln.exe
O4 - HKCU\..\Run: [Pbr] C:\WINDOWS\Cvf.exe
O4 - HKCU\..\Run: [Agc] C:\WINDOWS\System32\Efg.exe
O4 - HKCU\..\Run: [Kae] C:\WINDOWS\System32\Gde.exe
O4 - HKCU\..\Run: [Lhk] C:\WINDOWS\System32\Dqb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\Tmc.exe
O4 - HKCU\..\Run: [Hfh] C:\WINDOWS\System32\Ffc.exe
O4 - HKCU\..\Run: [Vve] C:\WINDOWS\Kcm.exe
O4 - HKCU\..\Run: [Mfg] C:\WINDOWS\System32\Ist.exe
O4 - HKCU\..\Run: [Dsl] C:\WINDOWS\System32\Nsl.exe
O4 - HKCU\..\Run: [Mgk] C:\WINDOWS\Kio.exe
O4 - HKCU\..\Run: [Kmr] C:\WINDOWS\Tta.exe
O4 - HKCU\..\Run: [Qbe] C:\WINDOWS\System32\Ocp.exe
O4 - HKCU\..\Run: [Jec] C:\WINDOWS\System32\Ria.exe
O4 - HKCU\..\Run: [Mjs] C:\WINDOWS\System32\Acl.exe
O4 - HKCU\..\Run: [Qsh] C:\WINDOWS\System32\Phg.exe
O4 - HKCU\..\Run: [Fdf] C:\WINDOWS\System32\Thb.exe
O4 - HKCU\..\Run: [Sgg] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Kpl] C:\WINDOWS\Sfv.exe
O4 - HKCU\..\Run: [Jfd] C:\WINDOWS\Cfk.exe
O4 - HKCU\..\Run: [Hbt] C:\WINDOWS\System32\Ovf.exe
O4 - HKCU\..\Run: [Cdh] C:\WINDOWS\Oqb.exe
O4 - HKCU\..\Run: [Qap] C:\WINDOWS\Dom.exe
O4 - HKCU\..\Run: [Fgj] C:\WINDOWS\System32\Fvu.exe
O4 - HKCU\..\Run: [Vsl] C:\WINDOWS\Sme.exe
O4 - HKCU\..\Run: [Pnh] C:\WINDOWS\Hge.exe
O4 - HKCU\..\Run: [Ngr] C:\WINDOWS\System32\Vau.exe
O4 - HKCU\..\Run: [Mgd] C:\WINDOWS\Qrt.exe
O4 - HKCU\..\Run: [Cgb] C:\WINDOWS\Aki.exe
O4 - HKCU\..\Run: [Hfq] C:\WINDOWS\Lbi.exe
O4 - HKCU\..\Run: [Kqm] C:\WINDOWS\System32\Ccv.exe
O4 - HKCU\..\Run: [Fab] C:\WINDOWS\System32\Irg.exe
O4 - HKCU\..\Run: [Htt] C:\WINDOWS\System32\Vbe.exe
O4 - HKCU\..\Run: [Rqq] C:\WINDOWS\System32\Ota.exe
O4 - HKCU\..\Run: [Qec] C:\WINDOWS\System32\Hfb.exe
O4 - HKCU\..\Run: [Bal] C:\WINDOWS\System32\Kgo.exe
O4 - HKCU\..\Run: [Qlr] C:\WINDOWS\System32\Vsb.exe
O4 - HKCU\..\Run: [Uos] C:\WINDOWS\System32\Tlh.exe
O4 - HKCU\..\Run: [Oam] C:\WINDOWS\Ovv.exe
O4 - HKCU\..\Run: [Fie] C:\WINDOWS\Pqp.exe
O4 - HKCU\..\Run: [Lgl] C:\WINDOWS\Vdb.exe
O4 - HKCU\..\Run: [Kfm] C:\WINDOWS\System32\Vih.exe
O4 - HKCU\..\Run: [Aii] C:\WINDOWS\Ckh.exe
O4 - HKCU\..\Run: [Utr] C:\WINDOWS\Icl.exe
O4 - HKCU\..\Run: [Hkp] C:\WINDOWS\Tfl.exe
O4 - HKCU\..\Run: [Vgk] C:\WINDOWS\Nis.exe
O4 - HKCU\..\Run: [Bbr] C:\WINDOWS\System32\Nld.exe
O4 - HKCU\..\Run: [Occ] C:\WINDOWS\Hjs.exe
O4 - HKCU\..\Run: [Del] C:\WINDOWS\System32\Qrj.exe
O4 - HKCU\..\Run: [Rmv] C:\WINDOWS\Vfh.exe
O4 - HKCU\..\Run: [Ujn] C:\WINDOWS\System32\Cap.exe
O4 - HKCU\..\Run: [Ddo] C:\WINDOWS\Ric.exe
O4 - HKCU\..\Run: [Rgr] C:\WINDOWS\Bsv.exe
O4 - HKCU\..\Run: [Gol] C:\WINDOWS\Tsq.exe
O4 - HKCU\..\Run: [Mlk] C:\WINDOWS\Pur.exe
O4 - HKCU\..\Run: [Rho] C:\WINDOWS\Uph.exe
O4 - HKCU\..\Run: [Mjg] C:\WINDOWS\System32\Gfc.exe
O4 - HKCU\..\Run: [Rnt] C:\WINDOWS\System32\Hjr.exe
O4 - HKCU\..\Run: [Qgh] C:\WINDOWS\Alh.exe
O4 - HKCU\..\Run: [Sis] C:\WINDOWS\System32\Ilp.exe
O4 - HKCU\..\Run: [Upo] C:\WINDOWS\Utf.exe
O4 - HKCU\..\Run: [Gco] C:\WINDOWS\System32\Mjb.exe
O4 - HKCU\..\Run: [Lco] C:\WINDOWS\Lao.exe
O4 - HKCU\..\Run: [Lnu] C:\WINDOWS\System32\Sqs.exe
O4 - HKCU\..\Run: [Pcl] C:\WINDOWS\System32\Uus.exe
O4 - HKCU\..\Run: [Msd] C:\WINDOWS\System32\Qcm.exe
O4 - HKCU\..\Run: [Itd] C:\WINDOWS\System32\Lok.exe
O4 - HKCU\..\Run: [Quc] C:\WINDOWS\Qbn.exe
O4 - HKCU\..\Run: [Fdr] C:\WINDOWS\System32\Nqd.exe
O4 - HKCU\..\Run: [Cec] C:\WINDOWS\System32\Qcm.exe
O4 - HKCU\..\Run: [Jaq] C:\WINDOWS\Fao.exe
O4 - HKCU\..\Run: [Vgh] C:\WINDOWS\Gvj.exe
O4 - HKCU\..\Run: [Bdh] C:\WINDOWS\System32\Qnj.exe
O4 - HKCU\..\Run: [Ini] C:\WINDOWS\System32\Jmn.exe
O4 - HKCU\..\Run: [Rng] C:\WINDOWS\System32\Rgv.exe
O4 - HKCU\..\Run: [Nln] C:\WINDOWS\System32\Qjg.exe
O4 - HKCU\..\Run: [Pgc] C:\WINDOWS\System32\Its.exe
O4 - HKCU\..\Run: [Uhj] C:\WINDOWS\System32\Uum.exe
O4 - HKCU\..\Run: [Dke] C:\WINDOWS\System32\Etd.exe
O4 - HKCU\..\Run: [Pdg] C:\WINDOWS\System32\Iub.exe
O4 - HKCU\..\Run: [Ths] C:\WINDOWS\System32\Jdc.exe
O4 - HKCU\..\Run: [Uft] C:\WINDOWS\System32\Vju.exe
O4 - HKCU\..\Run: [Uei] C:\WINDOWS\Mgn.exe
O4 - HKCU\..\Run: [Fdm] C:\WINDOWS\Fib.exe
O4 - HKCU\..\Run: [Vvk] C:\WINDOWS\System32\Hqk.exe
O4 - HKCU\..\Run: [Abn] C:\WINDOWS\Krj.exe
O4 - HKCU\..\Run: [Npa] C:\WINDOWS\Rfm.exe
O4 - HKCU\..\Run: [Jkb] C:\WINDOWS\System32\Sah.exe
O4 - HKCU\..\Run: [Qpj] C:\WINDOWS\System32\Mbr.exe
O4 - HKCU\..\Run: [Fhn] C:\WINDOWS\Kgb.exe

When finished, post the contents of Spywad.txt and a new Hijackthis log. There will be more to fix with HJT and more to do as well but this is a first step.


----------



## cwelaw (Jul 30, 2004)

Thanks, will do the above and get back to you. This is on my son's Matt's machine.


----------



## Cookiegal (Aug 27, 2003)

No problem.


----------



## cwelaw (Jul 30, 2004)

Cookie, I did the Spywad but did not get a Spywad.txt log file, just the System and Windows folders. Also, it did not kill Explorer, restart it or run Hijack this automatically. What should I do next?


----------



## Cookiegal (Aug 27, 2003)

Continue with the rest of the instructions and then post another Hijack This log.


----------



## cwelaw (Jul 30, 2004)

OK, Thanks


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## cwelaw (Jul 30, 2004)

here is the new hjt log. I can't copy what was in the systems and windows folder from spywad:

Logfile of HijackThis v1.99.0
Scan saved at 7:23:49 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\open32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C07C118-09D3-4869-83B6-FC05F6759A88} - C:\WINDOWS\System32\inni.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ikvl8ÏÔ@ÔÁß]§ú"üüC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [¢¸K0Ô@ÔÁß]§ú"üüiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [¢¸K0ÔÁß]§ú"üüigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [¢¸K0Ô@ÔÁß]§ú"ü¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ynmjetkd] C:\WINDOWS\ynmjetkd.exe
O4 - HKLM\..\Run: [ikvl8ÏÔÁß]§ú"üüigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁzîigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe
O4 - HKLM\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe
O4 - HKLM\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe
O4 - HKLM\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe
O4 - HKLM\..\Run: [Kfd] C:\WINDOWS\Lvq.exe
O4 - HKLM\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe
O4 - HKLM\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe
O4 - HKLM\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe
O4 - HKLM\..\Run: [Guc] C:\WINDOWS\Udi.exe
O4 - HKLM\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe
O4 - HKLM\..\Run: [Svr] C:\WINDOWS\Ibn.exe
O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe
O4 - HKLM\..\Run: [Rcg] C:\WINDOWS\Mkn.exe
O4 - HKLM\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Dhl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe
O4 - HKCU\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe
O4 - HKCU\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe
O4 - HKCU\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe
O4 - HKCU\..\Run: [Kfd] C:\WINDOWS\Lvq.exe
O4 - HKCU\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe
O4 - HKCU\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe
O4 - HKCU\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe
O4 - HKCU\..\Run: [Guc] C:\WINDOWS\Udi.exe
O4 - HKCU\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe
O4 - HKCU\..\Run: [Svr] C:\WINDOWS\Ibn.exe
O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe
O4 - HKCU\..\Run: [Rcg] C:\WINDOWS\Mkn.exe
O4 - HKCU\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\Dhl.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Run this uninstaller:

http://sarc.com/avcenter/venc/data/adware.istbar.html

Go to Control Panel - Add/Remove programs and remove the following, if there:

*Viewpoint
AWS (WeatherBug
WildTangent
Media Access*

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

O2 - BHO: (no name) - {6C07C118-09D3-4869-83B6-FC05F6759A88} - C:\WINDOWS\System32\inni.dll (file missing)

O4 - HKLM\..\Run: [ikvl8ÏÔ@ÔÁß]§ú" üüC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁz î¬[ 8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [¢¸K0Ô@ÔÁß]§ú" üüiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [¢¸K0ÔÁß]§ú" üüigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [¢¸K0Ô@ÔÁß]§ú" ü¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [ynmjetkd] C:\WINDOWS\ynmjetkd.exe

O4 - HKLM\..\Run: [ikvl8ÏÔÁß]§ú" üüigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [¢¸K0¨4W
}ïÁz îigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe

O4 - HKLM\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe

O4 - HKLM\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe

O4 - HKLM\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe

O4 - HKLM\..\Run: [Kfd] C:\WINDOWS\Lvq.exe

O4 - HKLM\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe

O4 - HKLM\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe

O4 - HKLM\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe

O4 - HKLM\..\Run: [Guc] C:\WINDOWS\Udi.exe

O4 - HKLM\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe

O4 - HKLM\..\Run: [Svr] C:\WINDOWS\Ibn.exe

O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe

O4 - HKLM\..\Run: [Rcg] C:\WINDOWS\Mkn.exe

O4 - HKLM\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe

O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Dhl.exe

O4 - HKLM\..\Run: [Shell] open32.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe

O4 - HKCU\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe

O4 - HKCU\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe

O4 - HKCU\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe

O4 - HKCU\..\Run: [Kfd] C:\WINDOWS\Lvq.exe

O4 - HKCU\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe

O4 - HKCU\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe

O4 - HKCU\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe

O4 - HKCU\..\Run: [Guc] C:\WINDOWS\Udi.exe

O4 - HKCU\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe

O4 - HKCU\..\Run: [Svr] C:\WINDOWS\Ibn.exe

O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe

O4 - HKCU\..\Run: [Rcg] C:\WINDOWS\Mkn.exe

O4 - HKCU\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe

O4 - HKCU\..\Run: [Pra] C:\WINDOWS\Dhl.exe

O4 - Startup: winupdate67070701[1].exe

O4 - Startup: winupdate67898385[1].exe

O4 - Startup: winupdate81090145[1].exe

O4 - Global Startup: Exif Launcher.lnk = ?

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: (HKLM)

OO16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c8.cab

O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx

Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Program Files\ISTsvc - folder
C:\WINDOWS\mjgpd.exe - file
C:\Program C:\WINDOWS\ynmjetkd.exe - file
C:\Program Files\Viewpoint - folder
C:\Program Files\ISTsvc - folder
C:\Program Files\Media Access - folder
C:\Program Files\WildTangent - folder
C:\WINDOWS\System32\Bkf.exe - file
C:\WINDOWS\System32\Ecv.exe - file
C:\WINDOWS\System32\Eth.exe - file
C:\WINDOWS\System32\Hcm.exe - file
C:\WINDOWS\Lvq.exe - file
C:\WINDOWS\System32\Bus.exe - file
C:\WINDOWS\System32\Hoj.exe - file
C:\WINDOWS\System32\Tng.exe - file
C:\WINDOWS\Udi.exe - file
C:\WINDOWS\System32\Qaa.exe- file
C:\WINDOWS\Ibn.exe - file
C:\WINDOWS\System32\Mph.exe - file
C:\WINDOWS\Mkn.exe - file
C:\WINDOWS\System32\Oot.exe - file
C:\WINDOWS\Dhl.exe - file
open32.exe - file
C:\Program Files\AWS - folder
C:\WINDOWS\System32\Bkf.exe - file
C:\WINDOWS\System32\Ecv.exe - file
C:\WINDOWS\System32\Eth.exe - file
C:\WINDOWS\System32\Hcm.exe - file
C:\WINDOWS\Lvq.exe - file
C:\WINDOWS\System32\Bus.exe - file
C:\WINDOWS\System32\Hoj.exe - file
C:\WINDOWS\System32\Tng.exe - file
C:\WINDOWS\Udi.exe - file
C:\WINDOWS\System32\Qaa.exe - file
C:\WINDOWS\Ibn.exe - file
C:\WINDOWS\System32\Mph.exe - file
C:\WINDOWS\Mkn.exe - file
C:\WINDOWS\System32\Oot.exe - file
C:\WINDOWS\Dhl.exe - file
C:\PROGRA~1\AWS - folder

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Is there more than one user profile on this machine?

Reboot and post another Hijack This log please.


----------



## cwelaw (Jul 30, 2004)

Good Morning. The Symantec uninstaller page is "temporarily unavailable." Will keep checking back to that page to run it. Can I do the rest and then do the uninstaller later?


----------



## Cookiegal (Aug 27, 2003)

Yes, go ahead.


----------



## cwelaw (Jul 30, 2004)

Still can't get on the Symantec removal tool site. Did the rest of the instructions, noting though that some of the files/folders could not be found. I did have the hidden, system and protected system files/folders shown. Thanks so far, and look forward to what's next. Couple of items I would like to mention are that after I ran Spywad, some of the problems went away, only to return later and I can't get anything to happen when I right click on the mouse. Here's the HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:57:39 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\System32\Kci.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

The right click is a known problem with this infection and there is a fix for that to be done later.

First we need to clean up every user. Are there other users?


----------



## cwelaw (Jul 30, 2004)

Sorry, no other user profiles on this machine


----------



## Cookiegal (Aug 27, 2003)

We will need to run fix again from the start. Please remove the spywadfix file that you had before and redownload it.

Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe and double click on the spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below

If it doesn't open then go to c:\spywad and double click on the remove spywad.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

*C:\WINDOWS\System32\Kci.exe*

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run Hijackthis and remove the entries as directed by your Forum Advisor.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your preferred picture press apply & then ok to exit and then either reboot or log off & on again to change the desktop settings

You will need to do this step for every user account


----------



## sportscrazy (Nov 27, 2004)

I recommend that you download and run a full system scan (deep scan) with Microsoft's Antispyware Scanner. If you run a full scan with it, it will remove most of your problems without you having to do anything so click here to download.


----------



## cwelaw (Jul 30, 2004)

Cookie gal:
I deleted and ran spywad - again, no text file. Also ran sportscrazy's suggestion. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:26 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Oal.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKCU\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

I'm going to ask someone else to take a look at this.


----------



## cwelaw (Jul 30, 2004)

OK, thanks


----------



## sportscrazy (Nov 27, 2004)

I would also recommend that you enable all the *Security Agents* that may help in the time that Cookiegal is calling someone.

Enabling The *Security Agents*:

1) Open *Microsoft Antispyware Scanner*
2) Go to *Real-time Protection*
3) Hold the mouse on the name of the Agent (repeat for all three agents)
4) If already not done Click on *Activate*
5) If the only option is to deactivate then it's already been done! 
6) Repeat this step for all 3 Agents (Internet Agents, System Agents, Application Agents) 

I can't help you any more than that...just wait for a proffesional!

Ps. Did it find anything when you ran a Full system Scan (including Deep scan folders)?


----------



## Cookiegal (Aug 27, 2003)

OK, I spoke with dvk01 and he suggests running the spywadfix in safe mode. It appears it's M$ antispyware that is blocking registry changes so when you reboot to normal mode do NOT let M$ AS fix anything. It will warn of changed entries so allow the changes, DO NOT restore to previous versions.

This time around the file name that you will have to enter in the first part of the fix is: *C:\WINDOWS\Oal.exe*

(whereas the last time it was *C:\WINDOWS\System32\Kci.exe*)

Please go through the entire process again but in safe mode and post the txt log created by the spywad fix and a new Hijack This log.


----------



## cwelaw (Jul 30, 2004)

Thanks, I had all activated when I loaded it. Yes, it found 2 trojans and 8 spyware/adware.


----------



## cwelaw (Jul 30, 2004)

Cookiegal - the last reply from me was to sportscrazy. Did what you said and it came up that C:\WINDOWS\Oal.exe did not exist. What's next?


----------



## cwelaw (Jul 30, 2004)

Also, I did not have M$ AS on system the first couple of times I tried to run Spywad, I added it only after suggestion from Sportscrazy.


----------



## Cookiegal (Aug 27, 2003)

Post a new HJT log please. The file may have changed again.


----------



## cwelaw (Jul 30, 2004)

have at it! (P.S. thanks for all the help!)

Logfile of HijackThis v1.99.1
Scan saved at 2:46:55 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Hhi.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKLM\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKLM\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKCU\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKCU\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKCU\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [Uvd] C:\WINDOWS\System32\Lgv.exe
O4 - HKCU\..\Run: [Hps] C:\WINDOWS\System32\Fab.exe
O4 - HKCU\..\Run: [Tej] C:\WINDOWS\Rpv.exe
O4 - HKCU\..\Run: [Snm] C:\WINDOWS\Spr.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Redownload and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe

*Then boot to safe mode* and double click on the spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below

If it doesn't open then go to c:\spywad and double click on the remove spywad.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Type this line into the box:

*C:\WINDOWS\Hhi.exe*

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run Hijackthis and remove the entries as directed by your Forum Advisor.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your preferred picture press apply & then ok to exit and then either reboot or log off & on again to change the desktop settings


----------



## cwelaw (Jul 30, 2004)

OK, I did the above in Safe Mode, but got an error message: Line 82, Char 5, Error: Input past end of file Code: 800A003E MS VBScript runtime error. Deleted Spywad and the folder and tried in in regular mode, and it came up that it can't find it and tried running it again and got the same error infor noted above.


----------



## Cookiegal (Aug 27, 2003)

Let's see what your log looks like now.


----------



## cwelaw (Jul 30, 2004)

Logfile of HijackThis v1.99.1
Scan saved at 4:21:04 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate81090145[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKLM\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKLM\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKCU\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKCU\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKCU\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [Uvd] C:\WINDOWS\System32\Lgv.exe
O4 - HKCU\..\Run: [Hps] C:\WINDOWS\System32\Fab.exe
O4 - HKCU\..\Run: [Tej] C:\WINDOWS\Rpv.exe
O4 - HKCU\..\Run: [Snm] C:\WINDOWS\Spr.exe
O4 - HKCU\..\Run: [Nof] C:\WINDOWS\System32\Rat.exe
O4 - HKCU\..\Run: [Dvk] C:\WINDOWS\Fcu.exe
O4 - HKCU\..\Run: [Dpm] C:\WINDOWS\System32\Psi.exe
O4 - HKCU\..\Run: [Ljs] C:\WINDOWS\Tnp.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Download Pocket Killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop.

Run Killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button, say yes to the prompt but NO to reboot now.

Then continue to paste the lines in turn and follow the above procedure every time. If it says file is missing or unable to delete then make a note of the file name and let us know when you reply.

*C:\WINDOWS\mjgpd.exe
C:\WINDOWS\System32\Kci.exe
C:\WINDOWS\Hhi.exe
C:\WINDOWS\Dkc.exe
C:\WINDOWS\System32\Jdh.exe
C:\WINDOWS\Oal.exe
C:\WINDOWS\System32\Nph.exe
C:\WINDOWS\System32\Gds.exe
C:\WINDOWS\System32\Ksv.exe
C:\WINDOWS\Fcs.exe
C:\WINDOWS\Ham.exe
C:\WINDOWS\System32\Fjn.exe
C:\WINDOWS\System32\Rha.exe
C:\WINDOWS\System32\Rub.exe
C:\WINDOWS\Gec.exe
C:\WINDOWS\System32\Pnf.exe
C:\WINDOWS\System32\Sql.exe
C:\WINDOWS\Rhh.exe
C:\WINDOWS\System32\Kci.exe
C:\WINDOWS\Hhi.exe
C:\WINDOWS\Dkc.exe
C:\WINDOWS\System32\Jdh.exe
C:\WINDOWS\Oal.exe
C:\WINDOWS\System32\Nph.exe
C:\WINDOWS\System32\Gds.exe
C:\WINDOWS\System32\Ksv.exe
C:\WINDOWS\Fcs.exe
C:\WINDOWS\Ham.exe
C:\WINDOWS\System32\Fjn.exe
C:\WINDOWS\System32\Rha.exe
C:\WINDOWS\System32\Rub.exe
C:\WINDOWS\Gec.exe
C:\WINDOWS\System32\Pnf.exe
C:\WINDOWS\System32\Sql.exe
C:\WINDOWS\Rhh.exe
C:\WINDOWS\System32\Lgv.exe
C:\WINDOWS\System32\Fab.exe
C:\WINDOWS\Rpv.exe
C:\WINDOWS\Spr.exe
C:\WINDOWS\System32\Rat.exe
C:\WINDOWS\Fcu.exe
C:\WINDOWS\System32\Psi.exe
C:\WINDOWS\Tnp.exe*

Then on Killboxs top bar press tools and then empty temp files and follow those prompts and say yes to everything. Reboot the computer.

Then run Hijack This, put a tick in the box beside the entries listed below, make sure all browser windows are closed and press fix checked

*O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKLM\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKLM\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKLM\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKLM\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [Dlr] C:\WINDOWS\System32\Rub.exe
O4 - HKCU\..\Run: [Afc] C:\WINDOWS\Gec.exe
O4 - HKCU\..\Run: [Rcs] C:\WINDOWS\System32\Pnf.exe
O4 - HKCU\..\Run: [Efn] C:\WINDOWS\System32\Sql.exe
O4 - HKCU\..\Run: [Ahh] C:\WINDOWS\Rhh.exe
O4 - HKCU\..\Run: [Uvd] C:\WINDOWS\System32\Lgv.exe
O4 - HKCU\..\Run: [Hps] C:\WINDOWS\System32\Fab.exe
O4 - HKCU\..\Run: [Tej] C:\WINDOWS\Rpv.exe
O4 - HKCU\..\Run: [Snm] C:\WINDOWS\Spr.exe
O4 - HKCU\..\Run: [Nof] C:\WINDOWS\System32\Rat.exe
O4 - HKCU\..\Run: [Dvk] C:\WINDOWS\Fcu.exe
O4 - HKCU\..\Run: [Dpm] C:\WINDOWS\System32\Psi.exe
O4 - HKCU\..\Run: [Ljs] C:\WINDOWS\Tnp.exe*

Reboot and post another Hijack This log.


----------



## cwelaw (Jul 30, 2004)

nothing came up as missing or could not be deleted. current hjt log

Logfile of HijackThis v1.99.1
Scan saved at 5:05:33 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## cwelaw (Jul 30, 2004)

I'll be back in 20


----------



## cwelaw (Jul 30, 2004)

forget the last log. forgot to reboot this time. new log coming


----------



## cwelaw (Jul 30, 2004)

here is the correct new log

Logfile of HijackThis v1.99.1
Scan saved at 5:12:46 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\hijackthis\HijackThis program 4-23-5.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## cwelaw (Jul 30, 2004)

I'm back


----------



## Cookiegal (Aug 27, 2003)

That took care of the spywad problem but there is another problem.

Run this tool:

http://www.atribune.org/downloads/HSFix.zip

Reboot and post another log please.


----------



## cwelaw (Jul 30, 2004)

DL'd unzipped, but nothing is running. clicked on Process.exe and a black screen popped up and went away, clicked on sc.exe and got a black screen with stuff I don't understand - looks like commands of some sort. There are two other files: hsfix.reg and hsfix.bat.
Please advise


----------



## Cookiegal (Aug 27, 2003)

Instructions for HSFix:

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder. 

Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where 
you will be given the option to enter Safe Mode.

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat" 

A log will be produced which you can close out of.

Also, post the HSFix log, which is found at C:\hslog.txt.

Copy and paste the entire contents to your reply along with the Hijackthis log.


----------



## cwelaw (Jul 30, 2004)

hslog:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
tmp*.tmp
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
winupdate file found
-
-

hjt log
Logfile of HijackThis v1.99.1
Scan saved at 6:47:00 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Good job!

The log looks good now. How's everything running?


----------



## cwelaw (Jul 30, 2004)

still no good. can't right click on anything.


----------



## Cookiegal (Aug 27, 2003)

Did you do this part?



> I have included another vbs to do this. It is named Other Profiles Regfix.vbs
> 
> Have each User sign in and run Other Profiles Regfix.vbs
> Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs
> ...


----------



## cwelaw (Jul 30, 2004)

sorry no, thought it was only if there were other user profiles on the system. will do now.


----------



## cwelaw (Jul 30, 2004)

did the above and got "The system cannot find the file specified" Code 80070002 Source (null). Do I need to do something different? Should I do this in Safe Mode as Administrator rather than User?


----------



## Cookiegal (Aug 27, 2003)

Try it in safe mode as Administrator then.


----------



## cwelaw (Jul 30, 2004)

still did not work to where I get my right mouse button back, but the page that was being displayed as wallpaper is gone. I ran spywad as Administrator for Other Profiles and went ahead and ran spywad the regular one as user in safe mode while i was there. still no right click


----------



## Cookiegal (Aug 27, 2003)

Try running this fix and see if it repairs the right click.

http://www.visualtour.com/downloads/xp_fix.exe


----------



## cwelaw (Jul 30, 2004)

On a different computer right now as can't get on line with the problem one. IE comes up, and starts to load a page, but then just starts "flashing" with the status bar flashing too. Will it ever end?!?!?!?! Thanks again for all your help. Will run MS antispyware etc and see if there is anything causing this and will get back to you. I'm in CA and will be having to leave for work shortly so may not be back in touch til later.


----------



## Cookiegal (Aug 27, 2003)

I'm not sure but the tool I suggest may fit onto a floppy. Also, you could try a winsock repair if you've lost the connection. It should also fit onto a floppy.

1.) Download http://www.tacktech.com/pub/winsockfix/WinsockFix.zip. (by: Option^Explicit) or http://www.spychecker.com/program/winsockxpfix.html
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.


----------



## cwelaw (Jul 30, 2004)

I'm back. DL'd the fix you sent for the right click problem, but not working. The only thing I can right click on and it works is the bottom tool bar to close/restore something there. Of course, I am back on line with the computer that was a problem. Did not have to dl the other fises for that issue, i.e. the flashing. here is a current hjt. please see if there is anything amiss as well. thanks Interesting NOTE - I just right clicked out of habit to paste the log in here and it worked. Just doesn't seem to work on desktop and on files.

Logfile of HijackThis v1.99.1
Scan saved at 7:16:25 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## cwelaw (Jul 30, 2004)

PS - the only tool I ran was on note #49. The note #51 was unclear if it was for the right click issue or for the flashing problem with IE.


----------



## cwelaw (Jul 30, 2004)

Well, I went ahead and did the winsock fix, figured it couldn't hurt after reading the reviews. All is fine IE wise, but still, right click won't work.


----------



## Cookiegal (Aug 27, 2003)

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.


----------



## cwelaw (Jul 30, 2004)

YOU are my HERO!!! Matt's machine is fixed! IE opens no problem, and he can right click to his heart's desire! I will be running all of our anti software stuff to just make sure and will post a hopeful final hjt. After your gracious review, I will close this one as Solved! Good night and sleep well.


----------



## cwelaw (Jul 30, 2004)

machine is running great. Here is the final HJT to just verify all clean. Thank you again for all your wonderful help.

Will be donating after the all clear.
Chuck
Logfile of HijackThis v1.99.1
Scan saved at 10:07:50 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## cwelaw (Jul 30, 2004)

Is weatherbug a problem program? You hd me remove it from his machine. Matt seems to really like it on his machine, I guess he likes the weather....go figure...20 year olds constantly amaze with what interests them.
I'll try to get up earlier tomorrow to check here. Thanks so much again.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

WeatherBug is adware. You can read about it here:

http://www.pchell.com/support/weatherbug.shtml

Here is an adware free alternative:

http://www.singerscreations.com/

The log looks fine now. Just one orpan entry to tidy up. Have Hijack This fix this entry:

*R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*

Now you should turn system restore off to flush out all previous restore points and then turn it back on and create a new restore point:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

I also recommend downloading *SPYWAREBLASTER & SPYWAREGUARD*, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

*Read here to see how to tighten your security:*

http://forums.techguy.org/t208517.html

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin.*


----------



## cwelaw (Jul 30, 2004)

Thank you for the last. our time zones, work etc has been keeping us apart. completed all the tasks and thank you for the info on weatherbug. He'll try your link recommendation. Here is hoped for FINAL (Yeah!) HJT. Look forward to your response as always.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:07 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Looks good :up:


----------



## cwelaw (Jul 30, 2004)

Thanks so much!!!! Don't see how to put a smiley in this quick reply but I am sure smiling! Donation is under way! Will also be "rating" you of course and you should know it will be high! BTW, Matt says thanks too!!!!


----------



## Cookiegal (Aug 27, 2003)

It was my pleasure! I don't have a rating button but your kind words are sincerely appreciated. Say hi to Matt for me!


----------

