-
Hijack this Log:
I'm trying to rid my roomates computer of its spyware problem. This afternoon I ran newly updated Spybot and Ad-Aware and then ran Hijack this. Here is the log. Any analysis or help would be greatly appreciated, thank you! (I actually ran this log about two hours after the scans if that matters)
Logfile of HijackThis v1.99.1
Scan saved at 9:47:16 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\winnn32.exe
C:\WINDOWS\windd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy Garvin\Desktop\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-
Hi Shep123
Download both of these tools
http://www.trendmicro.com/cwshredder/
dont run it yet
And aboutBuster
http://www.downloads.subratam.org/AboutBuster.zip
Extract the files to your my documents folder, run aboutbuster exe and check for updates then close it.
disconnect from the internet, run cwshredder, reboot when prompted, run aboutbuster, reboot again
once back make and post a fresh hijackthis log
-
After your steps
I followed your steps as you suggested. Downloaded the two programs, but the CWShredder didn't pick anything up. The about buster did however and so did Spybot when it ran automatically at start up. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 3:35:54 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
(6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1
\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winnn32.exe
C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec
Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\windd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy
Garvin\Desktop\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet
Connection Wizard,ShellNext =
http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-
BFA831757B65} - C:\WINDOWS\system32
\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-
831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-
5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-
6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-
DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program
Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program
Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver
Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
/Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [windd.exe]
C:\WINDOWS\windd.exe
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32
\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32
\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit]
c:\WINDOWS\System32
\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma"
content="no-cac] c:\WINDOWS\System32\<meta
http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac]
c:\WINDOWS\System32\<meta http-equiv="no-
cache">
O4 - HKCU\..\Run: [<meta http-
equiv="Expires" content="]
c:\WINDOWS\System32\<meta http-
equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-
Control" content="no-cac]
c:\WINDOWS\System32\<meta http-equiv="Cache
-Control" content="no-cache">
O4 - HKCU\..\Run: [</he]
c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32
\<body>
O4 - HKCU\..\Run: [<script
language="javascri] c:\WINDOWS\System32
\<script language="javascript">
O4 - HKCU\..\Run: [location.replace
("http://supportsoft.adelphia.net/sdcuser/de
fault.as] c:\WINDOWS\System32
\location.replace
("http://supportsoft.adelphia.net/sdcuser/de
fault.asp");
O4 - HKCU\..\Run: [</scr]
c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo]
c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32
\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks]
"C:\Program Files\Norton
SystemWorks\cfgwiz.exe" /GUID {05858CFD-
5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program
Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo
VPN Client.lnk = C:\Program Files\UB-
VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search -
res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define -
C:\Program Files\Common Files\Microsoft
Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in
&Encyclopedia - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001
\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program
Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone:
*.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone:
*.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-
B518BB6A408C} -
http://a224.g.akamai.net/7/224/52/20011004/q
tinstall.info.apple.com/qt503/us/win/QuickTi
meInstaller.exe
O23 - Service: Remote Procedure Call (RPC)
Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -
C:\WINDOWS\system32\winnn32.exe" /s (file
missing)
O23 - Service: Symantec Event Manager
(ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation
(ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager
(ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN
Service (CVPND) - Cisco Systems, Inc. -
C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager
(IDriverT) - Macrovision Corporation -
C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32
\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service
(ImapiService) - Roxio Inc. -
C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer,
Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect
Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) -
Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall
Monitor Service (NPFMntor) - Symantec
Corporation - C:\Program Files\Norton
SystemWorks\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection
(NProtectService) - Symantec Corporation -
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service
(NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec
Corporation - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service
(SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1
\SBServ.exe
O23 - Service: Symantec Network Drivers
Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc)
- Symantec Corporation - C:\Program
Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec
Corporation - C:\PROGRA~1\NORTON~2\NORTON~1
\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec
Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-
Hi
Post another log after turning word wrap off, so the formating isnt guffed up please.
-
My B. I cut and pasted that twice not realizing word wrap was causing that mess. Here ya go:
Logfile of HijackThis v1.99.1
Scan saved at 3:35:54 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winnn32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\windd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy Garvin\Desktop\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-
Hi
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.- Download Pocket Killbox version 2.0.0.204
- From one of these loactions
- Pocket KillBox
- Pocket KillBox
- If you already have Killbox first ensure it is this version !.
- Start Killbox place a tick next to [x]delete on reboot.
- Copy/Paste (not type or browse) this file and path into the top "Full Path of File to Delete" box.
C:\WINDOWS\windd.exe
C:\WINDOWS\system32\mfcpa.dll
C:\WINDOWS\system32\winnn32.exe- Place a tick next to all files
- Click the red highlighted X button and say no to the prompt to reboot.
- Exit Killbox, do not restart yet.
- Boot into Safe Mode:
- Click Start, click Run, type msconfig in the Open box, and then click OK.
- click the boot.ini tab > Tick [X]/Safeboot, apply > OK and restart windows.
- then choose safe.
- Stop the Service
- Go to Start > Run and type
- services.msc (then Press enter)
- Scroll down and find (but be carefull here, exact spelling counts!!)
- "Remote Procedure Call (RPC) Helper", NOT the other rpc helper
- Double click to bring up the properties, Double check you should see the path and file
C:\WINDOWS\system32\winnn32.exe
- Stop it then set to disable click apply then ok, exit services.
- Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
- Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "begin removal" to allow AboutBuster to scan.
- Please wait while AboutBuster scans your computer for malicious files.
- If it asks if you would like to do a second pass, allow it to do so.
- Click "Exit" to exit AboutBuster.
- Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
- Run Hijackthis and place a check next to these items (if there)
- Then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe" /s (file missing)
- Restart your computer normally to return to normal mode.
- Click Start, click Run, type msconfig in the Open box, and then click OK.
- click the boot.ini tab > Uncheck [ ]/Safeboot, apply > OK and restart windows,
- then choose Normal mode.
- When windows has restarted place a check in the
- [X] dont show this message or launch the system configurations utlity when windows starts.
- Get a free online scan:
- Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
- Prepare your reply:
- Post a fresh HijackThis log And the "Ab LogFile.txt" which will be next to aboutbuster.exe.
- Please note any complications you had.
-
Shep123 are you still requiring assistance?
-
This topic will be archived.