PDA

View Full Version : Please help, it won't go away...


gr8northwoods
2006-08-09, 06:49
Please help, it won't go away...

First let me say I am using Symantec Internet Security 2006 :(

This only seems to happen when IEXPLORE.EXE is running

I have spent 3 days scanning with Norton consuming 96% of my resources and my laptop is as useless as a paperweight. (if anyone has any good suggestions as an alternative to this absurd and ridiculous bloatware, please tell me!)

It continually reports Dialer.Generic and then it offers to Quarantine or Remove a file called (variably **):

C:\Documents and Settings\pops\Local Settings\Temporary InternetFiles\Content.IE5\**insert_random_folder_name**\srv***[1].exe

(ie: srvmxv[1].exe

this is immediately followed with a message from Norton saying:

Norton has detected a virus on your computer.
Object Name: C:WINDOWS\TEMP\win***.tmp
(insert random hex for *** ie: win11D.tmp)
Virus Name: Trojan Horse
Action Taken: Unable to repair this file
Action Taken: Access to this file was denied

it takes 8 to clicks to get rid of this message and then I get a box with:

Manual Repair: Risks -
Name - Trojan Horse
Risk - High
Details - Virus
Action - (Remove or Quarantine)

(NEITHER WORK)

then ...nothing... except after a reboot, same darn thing!

From reading here I found there may be problems with:

ddayy.dll

(as well as
yyadd.tmp
yyadd.ini
yyadd.ini2)

and I get
win64.tmp.exe
popping up in the C:\WINDOWS\Temp folder
and random win**.tmp files report a trojan to Norton

so I went to VirusTotal and got this:

------------------------------------------------------

Complete scanning result of "ddayy.dll", received in VirusTotal at 08.08.2006, 23:20:11 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 08.08.2006 no virus found
Authentium 4.93.8 08.08.2006 no virus found
Avast 4.7.844.0 08.08.2006 no virus found
AVG 386 08.08.2006 no virus found
BitDefender 7.2 08.08.2006 no virus found
CAT-QuickHeal 8.00 08.08.2006 no virus found
ClamAV devel-20060426 08.08.2006 no virus found
DrWeb 4.33 08.08.2006 no virus found
eTrust-InoculateIT 23.72.89 08.08.2006 no virus found
eTrust-Vet 12.6.2329 08.08.2006 Win32/Vundo
Ewido 4.0 08.08.2006 no virus found
Fortinet 2.77.0.0 08.08.2006 suspicious
F-Prot 3.16f 08.08.2006 no virus found
F-Prot4 4.2.1.29 08.08.2006 no virus found
Ikarus 0.2.65.0 08.08.2006 no virus found
Kaspersky 4.0.2.24 08.08.2006 not-a-virus:AdWare.Win32.Virtumonde.da
McAfee 4824 08.08.2006 Vundo
Microsoft 1.1508 08.04.2006 no virus found
NOD32v2 1.1697 08.08.2006 no virus found
Norman 5.90.23 08.08.2006 no virus found
Panda 9.0.0.4 08.08.2006 Suspicious file
Sophos 4.08.0 08.08.2006 no virus found
Symantec 8.0 08.08.2006 no virus found
TheHacker 5.9.8.187 08.07.2006 no virus found
UNA 1.83 08.08.2006 no virus found
VBA32 3.11.0 08.08.2006 no virus found
VirusBuster 4.3.7:9 08.08.2006 no virus found

Aditional Information
File size: 573492 bytes
MD5: 4bde22ffa058d3e130880b7d46998735
SHA1: 57c3ed465e617fee52dd30f471a7342c3ccff6ae
packers: embedded

---------------------------------------------------------

From this info I ran Atribune's VundoFix.exe 5.1.0.7 with no results.

---------------------------------------------------------

Then Symantecs FixVundo with this log:
Symantec Trojan.Vundo Removal Tool 1.5.0
The process "IEXPLORE.EXE" might be affected by the threat. It cannot be terminated.
The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.

C:\Program Files\Folder Lock\Encrypted\n¦+¦-n: (not scanned)
C:\System Volume Information: (not scanned)

Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 205522
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 0

but it was a lie as the same thing popped up again :(

---------------------------------------------------------

Then I ran VirtumundoBeGone.exe with no luck:

[08/08/2006, 23:02:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\pops\Desktop\VirtumundoBeGone.exe" )
[08/08/2006, 23:02:30] - Detected System Information:
[08/08/2006, 23:02:30] - Windows Version: 5.1.2600, Service Pack 2
[08/08/2006, 23:02:30] - Current Username: pops (Admin)
[08/08/2006, 23:02:30] - Windows is in NORMAL mode.
[08/08/2006, 23:02:30] - Searching for Browser Helper Objects:
[08/08/2006, 23:02:30] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:02:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:30] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:02:30] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:02:30] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:02:30] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:02:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:30] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:02:30] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:02:30] - BHO 4: {61DB1DD7-0130-4B74-810E-BB6040C59EE5} ()
[08/08/2006, 23:02:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:30] - Checking for HKLM\...\Winlogon\Notify\ddayy
[08/08/2006, 23:02:30] - Found: HKLM\...\Winlogon\Notify\ddayy - This is probably Virtumundo.
[08/08/2006, 23:02:30] - Assigning {61DB1DD7-0130-4B74-810E-BB6040C59EE5} MSEvents Object
[08/08/2006, 23:02:30] - BHO list has been changed! Starting over...
[08/08/2006, 23:02:30] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:02:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:30] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:02:30] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:02:30] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:02:31] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:02:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:31] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:02:31] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:02:31] - BHO 4: {61DB1DD7-0130-4B74-810E-BB6040C59EE5} (MSEvents Object)
[08/08/2006, 23:02:31] - ALERT: Found MSEvents Object!
[08/08/2006, 23:02:31] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/08/2006, 23:02:31] - BHO 6: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[08/08/2006, 23:02:31] - BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[08/08/2006, 23:02:31] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/08/2006, 23:02:31] - BHO 9: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[08/08/2006, 23:02:31] - Finished Searching Browser Helper Objects
[08/08/2006, 23:02:31] - *** Detected MSEvents Object
[08/08/2006, 23:02:31] - Trying to remove MSEvents Object...
[08/08/2006, 23:02:32] - Terminating Process: IEXPLORE.EXE
[08/08/2006, 23:02:32] - Terminating Process: RUNDLL32.EXE
[08/08/2006, 23:02:32] - Disabling Automatic Shell Restart
[08/08/2006, 23:02:32] - Terminating Process: EXPLORER.EXE
[08/08/2006, 23:02:33] - Suspending the NT Session Manager System Service
[08/08/2006, 23:02:33] - Terminating Windows NT Logon/Logoff Manager
[08/08/2006, 23:02:34] - Re-enabling Automatic Shell Restart
[08/08/2006, 23:02:34] - File to disable: C:\WINDOWS\system32\ddayy.dll
[08/08/2006, 23:02:34] - Removing HKLM\...\Browser Helper Objects\{61DB1DD7-0130-4B74-810E-BB6040C59EE5}
[08/08/2006, 23:02:34] - Removing HKCR\CLSID\{61DB1DD7-0130-4B74-810E-BB6040C59EE5}
[08/08/2006, 23:02:34] - Adding Kill Bit for ActiveX for GUID: {61DB1DD7-0130-4B74-810E-BB6040C59EE5}
[08/08/2006, 23:02:34] - Deleting ATLEvents/MSEvents Registry entries
[08/08/2006, 23:02:34] - Removing HKLM\...\Winlogon\Notify\ddayy
[08/08/2006, 23:02:34] - Searching for Browser Helper Objects:
[08/08/2006, 23:02:34] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:34] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:02:34] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:02:34] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:02:34] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:02:34] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:02:34] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:02:34] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/08/2006, 23:02:35] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[08/08/2006, 23:02:35] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[08/08/2006, 23:02:35] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/08/2006, 23:02:35] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[08/08/2006, 23:02:35] - Finished Searching Browser Helper Objects
[08/08/2006, 23:02:35] - Finishing up...
[08/08/2006, 23:02:35] - A restart is needed.
[08/08/2006, 23:04:20] - Attempting to Restart via STOP error (Blue Screen!)

[08/08/2006, 23:11:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\pops\Desktop\VirtumundoBeGone.exe" )
[08/08/2006, 23:11:34] - Detected System Information:
[08/08/2006, 23:11:34] - Windows Version: 5.1.2600, Service Pack 2
[08/08/2006, 23:11:34] - Current Username: pops (Admin)
[08/08/2006, 23:11:34] - Windows is in NORMAL mode.
[08/08/2006, 23:11:34] - Searching for Browser Helper Objects:
[08/08/2006, 23:11:34] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:11:34] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:11:34] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:11:34] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:11:34] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:11:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:11:34] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:11:34] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:11:34] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/08/2006, 23:11:34] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[08/08/2006, 23:11:34] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[08/08/2006, 23:11:34] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/08/2006, 23:11:34] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[08/08/2006, 23:11:34] - Finished Searching Browser Helper Objects
[08/08/2006, 23:11:34] - Finishing up...
[08/08/2006, 23:11:34] - Nothing found! Exiting...

[08/08/2006, 23:12:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\pops\Desktop\VirtumundoBeGone.exe" )
[08/08/2006, 23:12:52] - Detected System Information:
[08/08/2006, 23:12:52] - Windows Version: 5.1.2600, Service Pack 2
[08/08/2006, 23:12:52] - Current Username: pops (Admin)
[08/08/2006, 23:12:52] - Windows is in NORMAL mode.
[08/08/2006, 23:12:52] - Searching for Browser Helper Objects:
[08/08/2006, 23:12:52] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:12:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:12:52] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:12:52] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:12:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:12:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:12:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:12:52] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:12:52] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:12:52] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/08/2006, 23:12:52] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[08/08/2006, 23:12:52] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[08/08/2006, 23:12:53] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/08/2006, 23:12:53] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[08/08/2006, 23:12:53] - Finished Searching Browser Helper Objects
[08/08/2006, 23:12:53] - Finishing up...
[08/08/2006, 23:12:53] - Nothing found! Exiting...

[08/08/2006, 23:27:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\pops\Desktop\VirtumundoBeGone.exe" )
[08/08/2006, 23:27:08] - Detected System Information:
[08/08/2006, 23:27:08] - Windows Version: 5.1.2600, Service Pack 2
[08/08/2006, 23:27:08] - Current Username: pops (Admin)
[08/08/2006, 23:27:08] - Windows is in NORMAL mode.
[08/08/2006, 23:27:08] - Searching for Browser Helper Objects:
[08/08/2006, 23:27:08] - BHO 1: {02DCA195-602B-4B1F-83FF-381B7E804BDB} ()
[08/08/2006, 23:27:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:27:08] - Checking for HKLM\...\Winlogon\Notify\HDBHO
[08/08/2006, 23:27:08] - Key not found: HKLM\...\Winlogon\Notify\HDBHO, continuing.
[08/08/2006, 23:27:08] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/08/2006, 23:27:08] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/08/2006, 23:27:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/08/2006, 23:27:08] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/08/2006, 23:27:08] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/08/2006, 23:27:08] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/08/2006, 23:27:08] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[08/08/2006, 23:27:08] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[08/08/2006, 23:27:08] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/08/2006, 23:27:08] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[08/08/2006, 23:27:08] - Finished Searching Browser Helper Objects
[08/08/2006, 23:27:08] - Finishing up...
[08/08/2006, 23:27:08] - Nothing found! Exiting.
------------------------------------------------------------------------

The darn thing still pops up in Norton!

------------------------------------------------------------------------

continued below.....
gr8northwoods
2006-08-09, 06:53
Here is my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:56 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\AntiSpyWare\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130973309953
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Access Remote PC Service (RpcSvr) - www.access-remote-pc.com - C:\Program Files\Access Remote PC\rpcsetup.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe
gr8northwoods
2006-08-09, 06:54
Here is my startup log:

StartupList report, 8/8/2006, 11:37:00 PM
StartupList version: 1.52.2
Started from : C:\AntiSpyWare\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\AntiSpyWare\HJT\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
UserFaultCheck = %systemroot%\system32\dumprep 0 -u
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
LSBWatcher = c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
hpWirelessAssistant = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
DiskeeperSystray = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\UltraEdit.txt\shell\open\command

(Default) = "C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe" "%1"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\HDBHO.dll - {02DCA195-602B-4B1F-83FF-381B7E804BDB}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
Norton AntiVirus - Run Full System Scan - pops.job

--------------------------------------------------

Enumerating Download Program Files:

[Hewlett-Packard Online Support Services]
CODEBASE = http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Symantec RuFSI Utility Class]
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130973309953

[IWinAmpActiveX Class]
InProcServer32 = C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AmpX.dll
CODEBASE = http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

--------------------------------------------------
Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Aspi32: System32\drivers\aspi32.sys (autostart)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Network Proxy: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Arrowkey Device Access: \??\C:\Program Files\321Studios\Shared\CDRPDACC.SYS (autostart)
Crypkey License: crypserv.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Team MFP Comm Driver: System32\Drivers\DgiVecp.sys (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Diskeeper: "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" (autostart)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Esdpdx01: \??\C:\WINDOWS\system32\Drivers\ESDPDX01.SYS (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" (autostart)
HP Pci Information: \??\C:\DOCUME~1\pops\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (autostart)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TuneUp WinStyler Theme Service: "C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe" (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
User Profile Hive Cleanup: C:\Program Files\UPHClean\uphclean.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
windrvNT: \??\C:\WINDOWS\system32\windrvNT.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
FireDaemon Service: winsecure: C:\WINDOWS\security\FireDaemon.exe -s (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

-------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = *Registry value not found*

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\HPQ\Shared\hpqwmi.events|||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End o report, 15,610 bytes
--------------------------------------------------
PLEASE AND THANK YOU!!
gr8northwoods
2006-08-09, 07:49
I now have -

C:\Documents and Settings\pops\Local Settings\Temporary InternetFiles\Content.IE5\?wmid=bgates

description says
content-loader.com/getexe/?wmid=bgates

------------------------------------------

Norton says the file is in-
C:\Documents and Settings\pops\Local Settings\Temporary Internet Files\Content.IE5\F18CYPFA\bgates[1].exe

------------------------------------------

help! ty!
LonnyRJones
2006-08-14, 04:23
Hi

Start Hijackthis and place a check next to this item If there.
O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Is this file still present in the windows\system32 folder ?
ddayy.dll


Post a fresh Hijackthis log.
tashi
2006-08-17, 16:02
Still with us gr8northwoods?
tashi
2006-08-22, 09:57
This topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.