PDA

View Full Version : Google search link redirect, C drive search crashes, etc



belloq
2007-03-09, 16:56
A few days ago, problems began with google search link redirects, now also not able to complete a search on C drive. After four or so hits, the search quits, popup "explorer needs to close" PC freezes momentarily and removes active desktop.

I tried running all the online scans except for panda (didn't want extra email) but none would complete; most resulted in IE crashing and popup "IE needs to close" etc.

Ran HJT, two "unexpected errors" popped up during scan, but it produced a log, which is below. Thanks in advance for any help.

---------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:53:46 AM, on 3/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: USBControl.lnk = C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q3E3Q9QR\access[1].exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINNT\System32\crtv2_32.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q3E3Q9QR\access[1].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINNT\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE

pskelley
2007-03-10, 14:46
Welcome to the forum, while I am not 100% positive about how serious this is, it is surely serious enough. You are infected, I am not sure either if HJT is showing all of the infection, the hackers like to hide their junk. Let me give you what information I have about this trojan:

O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe <<< while the google indicates it may be several nasties:
http://www.google.com/search?q=win32.exe&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
I am inclined to believe it is this one: RATEGA virus and your antivirus protection should have stopped this one if it is up to date. At the very least it should remove it for you.
Information and removal instructions are included in this link: http://www.symantec.com/security_response/writeup.jsp?docid=2003-042814-1021-99&tabid=1
My major concern is this:
Backdoor.Ratega is a Trojan Horse that gives a hacker complete access to your computer. By default, the Trojan listens on port 6969 and notifies the hacker through email.

Because it is a backdoor trojan and because of the access to your security information this hacker has, I must give you this information to be safe.
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Once you have read the information, if you wish me to show you how to remove the junk, post to let me know.

Thanks

belloq
2007-03-11, 11:07
Wow, I have to change all my passwords? Is this a keylogger type thing? Yes, please show me how to remove this junk. Many thanks.

belloq
2007-03-11, 11:21
By the way, I tried to backup registry per symantec/microsoft instructions, and it said I have insuficient privelege.

pskelley
2007-03-11, 12:21
I can only suggest you may not be signing in as administrator? In the instructions I am about to post, following them will not require backing up the registry because HJT makes it's own backups within the program of anything it removes. But you surely need to find out why you can not backup your registry, there are times when this must be done for safety.

pskelley
2007-03-11, 12:27
Thanks for your feedback, please see the google of win32.exe:
http://www.google.com/search?hl=en&q=win32.exe&btnG=Google+Search
http://www.liutilities.com/products/wintaskspro/processlibrary/win32/
http://www.processlibrary.com/directory/files/win32/
http://www.symantec.com/security_response/writeup.jsp?docid=2003-042814-1021-99
http://www.google.com/search?hl=en&q=RATEGA+TROJAN%21&btnG=Google+Search

While I can not say with 100% certainty this is the trojan on your computer, I prefer to err on the side of safety and make you aware of the security issues. I believe the information I posted should help you decide how to handle the breach in your security.
You also have this worm: http://www.symantec.com/security_response/writeup.jsp?docid=2004-012217-2400-99

If you wish to scan either if these items, here is a free online scanner:
http://virusscan.jotti.org/
I also wish to say that the Symantec link provides detail instructions for removing this threat if you prefer to use them.


Instructions start here:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) TeaTimer will block the changes we must make, use these instruction to turn it off until you are done:
http://russelltexas.com/malware/teatimer.htm

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Caere\OmniPagePro90\EREG\REMIND32.EXE
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q3E3Q9QR\access[1].exe (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINNT\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q3E3Q9QR\access[1].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINNT\System32\crtv2_32.dll (file missing) (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

(be VERY careful you delete these two files in the C:\Windows\ folder and NOT the C:\Windows\System32\ folder where the same files are VALID)

C:\WINNT\win32.exe <<< delete that file

C:\winnt\rundll32.exe <<< delete that file

6) Follow the directions in this link, delete or at least quarantine anything that is found and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan results, a new HJT log and any comments you think will help.

Thanks

For your information:
I see Norton as your anti-virus program, does it contain a firewall or what do you run. You also have no realtime spyware program running. TeaTimer helps but it can not do that job.

belloq
2007-03-12, 07:34
Many thanks! That ATF program is very cool. None of the online scanners work including the one's you have mentioned. It always errors before finishing. I've followed your instructions. I have not followed the Norton instructions on the two links you've mentioned yet. Norton's online support basically said I can't eliminate the virus because the admin rights have been given to someone at some point by the virus. Don't know if that's true or not but they tried to get another $70 for "premium" support, all this after I just renewed Norton AV/Internet security on Saturday! AVG you suggested nearly completed scan but errored like all the other scans. I copied HJT log below and AVG error log in a subsequent post. Any suggestions on active spyware protection would be appreciated. Thanks again.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:37 AM, on 3/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: USBControl.lnk = C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE

belloq
2007-03-12, 07:35
AVG Error log (file name: avgas.err):

//==<AVG AntiSpyware 7.5.0.50>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 01005D31 <module file name get failed with error 0 for module 00F10000>
Exception Date: 03/12/2007 00:45:28
File Version of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe: 7.5.0.50

Registers:
EAX:00000000
EBX:081D0000
ECX:04A725B8
EDX:0E550001
ESI:7C597925
EDI:000000A0
CS:EIP:001B:01005D31
SS:ESP:0023:04A723E4 EBP:5B73656F
DS:0023 ES:0023 FS:0038 GS:0000
Flags:00010202

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
01005D31 5B73656F <frame 5B73656F not readable>

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
01005D31 04A723E0 00000000 081D0000 0018BEE8 04A72444 <module file name get failed with error 0 for module 00F10000>
01390000 5B73656F 00000000 00000000 00000000 00000000 <module file name get failed with error 0 for module 01390000>

Loaded Modules:
Base Size Module
00400000 605000 7.05.0000.0050 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
77F80000 07C000 5.00.2195.7006 C:\WINNT\system32\ntdll.dll
690A0000 00B000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL
7C570000 0B4000 5.00.2195.7099 C:\WINNT\system32\KERNEL32.DLL
10000000 0DD000 4.02.0000.0015 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
719B0000 008000 6.00.2800.1106 C:\WINNT\system32\SHFOLDER.dll
7C2D0000 065000 5.00.2195.7038 C:\WINNT\system32\ADVAPI32.dll
77D30000 06F000 5.00.2195.7085 C:\WINNT\system32\RPCRT4.dll
70A70000 066000 6.00.2800.1902 C:\WINNT\system32\SHLWAPI.dll
78000000 045000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll
77F40000 03C000 5.00.2195.7073 C:\WINNT\system32\GDI32.dll
77E10000 069000 5.00.2195.7032 C:\WINNT\system32\USER32.dll
77570000 030000 5.00.2161.0001 C:\WINNT\system32\WINMM.dll
6B2C0000 005000 5.00.2180.0001 C:\WINNT\system32\MSIMG32.dll
76B30000 03E000 5.00.3700.6693 C:\WINNT\system32\comdlg32.dll
71710000 084000 5.81.4968.2500 C:\WINNT\system32\COMCTL32.DLL
7CF30000 246000 5.00.3900.7105 C:\WINNT\system32\SHELL32.DLL
7CE20000 0EF000 5.00.2195.7059 C:\WINNT\system32\ole32.dll
75050000 008000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.dll
75030000 014000 5.00.2195.6601 C:\WINNT\system32\WS2_32.DLL
75020000 008000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL
77340000 013000 5.00.2195.7097 C:\WINNT\system32\iphlpapi.dll
77520000 005000 5.00.2134.0001 C:\WINNT\system32\ICMP.dll
77320000 017000 5.00.2181.0001 C:\WINNT\system32\MPRAPI.dll
75150000 010000 5.00.2195.6944 C:\WINNT\system32\SAMLIB.DLL
7CDC0000 050000 5.00.2195.7108 C:\WINNT\system32\NETAPI32.DLL
7C340000 00F000 5.00.2195.6695 C:\WINNT\system32\Secur32.dll
77BF0000 011000 5.00.2195.6666 C:\WINNT\system32\NTDSAPI.dll
77980000 024000 5.00.2195.7100 C:\WINNT\system32\DNSAPI.DLL
77950000 02B000 5.00.2195.7017 C:\WINNT\system32\WLDAP32.DLL
751C0000 006000 5.00.2134.0001 C:\WINNT\system32\NETRAP.dll
779B0000 09B000 2.40.4522.0000 C:\WINNT\system32\OLEAUT32.DLL
773B0000 02F000 5.00.2195.6601 C:\WINNT\system32\ACTIVEDS.DLL
77380000 023000 5.00.2195.6993 C:\WINNT\system32\ADSLDPC.DLL
77830000 00E000 5.00.2168.0001 C:\WINNT\system32\RTUTILS.DLL
77880000 08E000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL
7C0F0000 064000 5.00.2195.7002 C:\WINNT\system32\USERENV.DLL
774E0000 034000 5.00.2195.6920 C:\WINNT\system32\RASAPI32.dll
774C0000 011000 5.00.2195.6824 C:\WINNT\system32\rasman.dll
77530000 022000 5.00.2195.6664 C:\WINNT\system32\TAPI32.dll
77360000 019000 5.00.2195.7085 C:\WINNT\system32\DHCPCSVC.DLL
77820000 007000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll
759B0000 006000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL
63000000 095000 6.00.2800.1589 C:\WINNT\system32\WININET.dll
7C740000 08C000 5.131.2195.6926 C:\WINNT\system32\CRYPT32.dll
77430000 011000 5.00.2195.6905 C:\WINNT\system32\MSASN1.dll
1A400000 07D000 6.00.2800.1591 C:\WINNT\system32\urlmon.dll
651B0000 022000 2006.02.0000.0153 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\ASOEHOOK.DLL
02230000 056000 7.10.3052.0004 C:\WINNT\system32\MSVCR71.dll
6AF90000 05E000 104.00.0014.0002 C:\Program Files\Common Files\Symantec Shared\ccL40.dll
7C3A0000 07B000 7.10.3077.0000 C:\WINNT\system32\MSVCP71.dll
022A0000 020000 5.06.0013.52136 C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll
58000000 01E000 5.05.0100.0092 C:\Program Files\Verizon Online\Visual IP InSight\IPHook32.dll
022F0000 00D000 4.05.0006.0006 C:\WINNT\System32\tabhook.dll
7C950000 08F000 2000.02.3529.0000 C:\WINNT\system32\CLBCATQ.DLL
77840000 03E000 5.00.2195.6705 C:\WINNT\system32\cscui.dll
770C0000 023000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL
76710000 009000 5.00.2195.7069 C:\WINNT\system32\LINKINFO.DLL
76FA0000 00F000 5.00.2134.0001 C:\WINNT\system32\ntshrui.dll
773E0000 015000 3.00.9435.0000 C:\WINNT\system32\ATL.DLL
76620000 010000 5.00.2195.6824 C:\WINNT\system32\MPR.DLL
74FD0000 01E000 5.00.2195.6602 C:\WINNT\system32\msafd.dll
75010000 007000 5.00.2195.6601 C:\WINNT\System32\wshtcpip.dll
782C0000 00C000 5.00.2195.6603 C:\WINNT\System32\rnr20.dll
777E0000 008000 5.00.2160.0001 C:\WINNT\System32\winrnr.dll
777F0000 005000 5.00.2195.7098 C:\WINNT\system32\rasadhlp.dll
72A00000 02D000 5.00.2195.6613 C:\WINNT\system32\DBGHELP.DLL

//==<AVG AntiSpyware 7.5.0.50>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 01005D31 <module file name get failed with error 0 for module 00F10000>
Exception Date: 03/12/2007 01:22:14
File Version of C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe: 7.5.0.50

Registers:
EAX:00000000
EBX:06880000
ECX:052125B8
EDX:0B850001
ESI:7C597925
EDI:000000A0
CS:EIP:001B:01005D31
SS:ESP:0023:052123E4 EBP:5B73656F
DS:0023 ES:0023 FS:0038 GS:0000
Flags:00010202

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
01005D31 5B73656F <frame 5B73656F not readable>

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
01005D31 052123E0 00000000 06880000 0018BF40 05212444 <module file name get failed with error 0 for module 00F10000>
01390000 5B73656F 00000000 00000000 00000000 00000000 <module file name get failed with error 0 for module 01390000>

Loaded Modules:
Base Size Module
00400000 605000 7.05.0000.0050 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
77F80000 07C000 5.00.2195.7006 C:\WINNT\system32\ntdll.dll
690A0000 00B000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL
7C570000 0B4000 5.00.2195.7099 C:\WINNT\system32\KERNEL32.DLL
10000000 0DD000 4.02.0000.0015 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
719B0000 008000 6.00.2800.1106 C:\WINNT\system32\SHFOLDER.dll
7C2D0000 065000 5.00.2195.7038 C:\WINNT\system32\ADVAPI32.dll
77D30000 06F000 5.00.2195.7085 C:\WINNT\system32\RPCRT4.dll
70A70000 066000 6.00.2800.1902 C:\WINNT\system32\SHLWAPI.dll
78000000 045000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll
77F40000 03C000 5.00.2195.7073 C:\WINNT\system32\GDI32.dll
77E10000 069000 5.00.2195.7032 C:\WINNT\system32\USER32.dll
77570000 030000 5.00.2161.0001 C:\WINNT\system32\WINMM.dll
6B2C0000 005000 5.00.2180.0001 C:\WINNT\system32\MSIMG32.dll
76B30000 03E000 5.00.3700.6693 C:\WINNT\system32\comdlg32.dll
71710000 084000 5.81.4968.2500 C:\WINNT\system32\COMCTL32.DLL
7CF30000 246000 5.00.3900.7105 C:\WINNT\system32\SHELL32.DLL
7CE20000 0EF000 5.00.2195.7059 C:\WINNT\system32\ole32.dll
75050000 008000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.dll
75030000 014000 5.00.2195.6601 C:\WINNT\system32\WS2_32.DLL
75020000 008000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL
77340000 013000 5.00.2195.7097 C:\WINNT\system32\iphlpapi.dll
77520000 005000 5.00.2134.0001 C:\WINNT\system32\ICMP.dll
77320000 017000 5.00.2181.0001 C:\WINNT\system32\MPRAPI.dll
75150000 010000 5.00.2195.6944 C:\WINNT\system32\SAMLIB.DLL
7CDC0000 050000 5.00.2195.7108 C:\WINNT\system32\NETAPI32.DLL
7C340000 00F000 5.00.2195.6695 C:\WINNT\system32\Secur32.dll
77BF0000 011000 5.00.2195.6666 C:\WINNT\system32\NTDSAPI.dll
77980000 024000 5.00.2195.7100 C:\WINNT\system32\DNSAPI.DLL
77950000 02B000 5.00.2195.7017 C:\WINNT\system32\WLDAP32.DLL
751C0000 006000 5.00.2134.0001 C:\WINNT\system32\NETRAP.dll
779B0000 09B000 2.40.4522.0000 C:\WINNT\system32\OLEAUT32.DLL
773B0000 02F000 5.00.2195.6601 C:\WINNT\system32\ACTIVEDS.DLL
77380000 023000 5.00.2195.6993 C:\WINNT\system32\ADSLDPC.DLL
77830000 00E000 5.00.2168.0001 C:\WINNT\system32\RTUTILS.DLL
77880000 08E000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL
7C0F0000 064000 5.00.2195.7002 C:\WINNT\system32\USERENV.DLL
774E0000 034000 5.00.2195.6920 C:\WINNT\system32\RASAPI32.dll
774C0000 011000 5.00.2195.6824 C:\WINNT\system32\rasman.dll
77530000 022000 5.00.2195.6664 C:\WINNT\system32\TAPI32.dll
77360000 019000 5.00.2195.7085 C:\WINNT\system32\DHCPCSVC.DLL
77820000 007000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll
759B0000 006000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL
63000000 095000 6.00.2800.1589 C:\WINNT\system32\WININET.dll
7C740000 08C000 5.131.2195.6926 C:\WINNT\system32\CRYPT32.dll
77430000 011000 5.00.2195.6905 C:\WINNT\system32\MSASN1.dll
1A400000 07D000 6.00.2800.1591 C:\WINNT\system32\urlmon.dll
651B0000 022000 2006.02.0000.0153 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\ASOEHOOK.DLL
02230000 056000 7.10.3052.0004 C:\WINNT\system32\MSVCR71.dll
6AF90000 05E000 104.00.0014.0002 C:\Program Files\Common Files\Symantec Shared\ccL40.dll
7C3A0000 07B000 7.10.3077.0000 C:\WINNT\system32\MSVCP71.dll
022A0000 020000 5.06.0013.52136 C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll
58000000 01E000 5.05.0100.0092 C:\Program Files\Verizon Online\Visual IP InSight\IPHook32.dll
022F0000 00D000 4.05.0006.0006 C:\WINNT\System32\tabhook.dll
7C950000 08F000 2000.02.3529.0000 C:\WINNT\system32\CLBCATQ.DLL
77840000 03E000 5.00.2195.6705 C:\WINNT\system32\cscui.dll
770C0000 023000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL
76710000 009000 5.00.2195.7069 C:\WINNT\system32\LINKINFO.DLL
76FA0000 00F000 5.00.2134.0001 C:\WINNT\system32\ntshrui.dll
773E0000 015000 3.00.9435.0000 C:\WINNT\system32\ATL.DLL
76620000 010000 5.00.2195.6824 C:\WINNT\system32\MPR.DLL
782C0000 00C000 5.00.2195.6603 C:\WINNT\System32\rnr20.dll
777E0000 008000 5.00.2160.0001 C:\WINNT\System32\winrnr.dll
72A00000 02D000 5.00.2195.6613 C:\WINNT\system32\DBGHELP.DLL

pskelley
2007-03-12, 13:30
Thanks for the feedback, let me first say it appears you have been sucessful removing the bad stuff from what I can see in the HJT log.
You have a problem with the fact that it appears the malware has changed access to the administrator rights. Do you receive a message about this? If so post it for me, here are some sites you can look for answers at.
http://www.google.com/search?hl=en&q=restore+administrator+rights&btnG=Google+Search

You may also find something here: http://www.kellys-korner-xp.com/xp_tweaks.htm

The AVG Anti-Spyware information means nothing to me and time constraints will not all me to Google all of those files. Since you can't use it, I would uninstall it.

I suggest you do this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

If you can not resolve the administrator issues, you may want to consider this:
http://www.google.com/search?hl=en&q=how+to+reformat+windows+XP&btnG=Search

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

belloq
2007-03-17, 22:52
I'm running W2000pro so the restore thing doesn't seem to apply. I won't reformat the drive just for the google redirect problem. But there seems to be good news- I can now do a full system scan with my Norton internet security but it didn't find anything. I have no idea which process worked after all but I don't care. However, the google search result redirect (the original problem) is still occuring and I'm not sure how to check if the admin rights issue was resolved. What should I do next, if anything? Current HJT log is below. By the way, there are still two error popups during the HJT scan. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 4:57:08 PM, on 3/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\PROGRA~1\NovaStor\NOVABA~1\NSENGINE.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: USBControl.lnk = C:\Program Files\Adaptec\USBControl\Ausbctrl.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE

pskelley
2007-03-17, 23:52
I'm running W2000pro so the restore thing doesn't seem to apply. I apologize, since Microsoft stopped supporting everything before WindownXp SP2, that's about all I see anymore.

I won't reformat the drive just for the google redirect problem.That is your call, were it my machine, and I had that trojan, it would have been done right away. A computer who's security I can't trust is worthless to me.

By the way, there are still two error popups during the HJT scan. Thanks.This tell me nothing, what exactly are those errors and post them "word for word".

Looking at the HJT log you just posted:

All I see in the HJT log is this old Java line which you can remove if you wish:
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

What does your Norton AntiVirus have to say? Run a scan and post the results. Let's look at another free online scan, try this one and post the results:

Please run Trend Micro House Call (http://housecall.trendmicro.com/)
Click Scan now. It's free!
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
You may receive a prompt to install the ActiveX, click install.
If you are taken back to the main page, click Launching HouseCall>> button again.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.
When the scan is finished, please restart your computer.

Please post your Uninstall list so I can have a look:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart the computer and post some information about these popup errors, the results of the Norton scan, Housecall scan and the uninstall list. Please add any comments you think will help.

Thanks

pskelley
2007-03-24, 17:48
No response since 2007-03-17, 17:52. As a results the topic will be closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks