Hijack this Log:

**Shep123** · 2005-12-09, 03:48

I'm trying to rid my roomates computer of its spyware problem. This afternoon I ran newly updated Spybot and Ad-Aware and then ran Hijack this. Here is the log. Any analysis or help would be greatly appreciated, thank you! (I actually ran this log about two hours after the scans if that matters)

Logfile of HijackThis v1.99.1
Scan saved at 9:47:16 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\winnn32.exe
C:\WINDOWS\windd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy Garvin\Desktop\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tczkg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**LonnyRJones** · 2005-12-11, 14:04

Hi Shep123

Download both of these tools

http://www.trendmicro.com/cwshredder/
dont run it yet
And aboutBuster
http://www.downloads.subratam.org/AboutBuster.zip
Extract the files to your my documents folder, run aboutbuster exe and check for updates then close it.

disconnect from the internet, run cwshredder, reboot when prompted, run aboutbuster, reboot again

once back make and post a fresh hijackthis log

**Shep123** · 2005-12-11, 21:43

I followed your steps as you suggested. Downloaded the two programs, but the CWShredder didn't pick anything up. The about buster did however and so did Spybot when it ran automatically at start up. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 3:35:54 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton

AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1

\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winnn32.exe
C:\Program Files\Common

Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\windd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy

Garvin\Desktop\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

about:blank
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet

Connection Wizard,ShellNext =

http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-

BFA831757B65} - C:\WINDOWS\system32

\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-

831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-

5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-

6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-

DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program

Files\Common

Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver

Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [windd.exe]

C:\WINDOWS\windd.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32

\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32

\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit]

c:\WINDOWS\System32

\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma"

content="no-cac] c:\WINDOWS\System32\<meta

http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac]

c:\WINDOWS\System32\<meta http-equiv="no-

cache">
O4 - HKCU\..\Run: [<meta http-

equiv="Expires" content="]

c:\WINDOWS\System32\<meta http-

equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-

Control" content="no-cac]

c:\WINDOWS\System32\<meta http-equiv="Cache

-Control" content="no-cache">
O4 - HKCU\..\Run: [</he]

c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32

\<body>
O4 - HKCU\..\Run: [<script

language="javascri] c:\WINDOWS\System32

\<script language="javascript">
O4 - HKCU\..\Run: [location.replace

("http://supportsoft.adelphia.net/sdcuser/de

fault.as] c:\WINDOWS\System32

\location.replace

("http://supportsoft.adelphia.net/sdcuser/de

fault.asp");
O4 - HKCU\..\Run: [</scr]

c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo]

c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32

\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks]

"C:\Program Files\Norton

SystemWorks\cfgwiz.exe" /GUID {05858CFD-

5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program

Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo

VPN Client.lnk = C:\Program Files\UB-

VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search -

res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define -

C:\Program Files\Common Files\Microsoft

Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in

&Encyclopedia - C:\Program Files\Common

Files\Microsoft Shared\Reference 2001

\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program

Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone:

*.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone:

*.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-

B518BB6A408C} -

http://a224.g.akamai.net/7/224/52/20011004/q

tinstall.info.apple.com/qt503/us/win/QuickTi

meInstaller.exe
O23 - Service: Remote Procedure Call (RPC)

Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -

C:\WINDOWS\system32\winnn32.exe" /s (file

missing)
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation

(ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN

Service (CVPND) - Cisco Systems, Inc. -

C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation -

C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32

\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service

(ImapiService) - Roxio Inc. -

C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer,

Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect

Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) -

Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall

Monitor Service (NPFMntor) - Symantec

Corporation - C:\Program Files\Norton

SystemWorks\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection

(NProtectService) - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service

(SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1

\SBServ.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc)

- Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec

Corporation - C:\PROGRA~1\NORTON~2\NORTON~1

\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec

Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**LonnyRJones** · 2005-12-12, 02:03

Hi

Post another log after turning word wrap off, so the formating isnt guffed up please.

**Shep123** · 2005-12-12, 04:00

My B. I cut and pasted that twice not realizing word wrap was causing that mess. Here ya go:

Logfile of HijackThis v1.99.1
Scan saved at 3:35:54 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winnn32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\windd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeremy Garvin\Desktop\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**LonnyRJones** · 2005-12-12, 04:17

Hi

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Download Pocket Killbox version 2.0.0.204
- From one of these loactions
- Pocket KillBox
- Pocket KillBox
- If you already have Killbox first ensure it is this version !.
- Start Killbox place a tick next to [x]delete on reboot.
- Copy/Paste (not type or browse) this file and path into the top "Full Path of File to Delete" box.
- C:\WINDOWS\windd.exe
  C:\WINDOWS\system32\mfcpa.dll
  C:\WINDOWS\system32\winnn32.exe
- Place a tick next to all files
- Click the red highlighted X button and say no to the prompt to reboot.
- Exit Killbox, do not restart yet.
Boot into Safe Mode:
- Click Start, click Run, type msconfig in the Open box, and then click OK.
- click the boot.ini tab > Tick [X]/Safeboot, apply > OK and restart windows.
- then choose safe.
Stop the Service
- Go to Start > Run and type
- services.msc (then Press enter)
- Scroll down and find (but be carefull here, exact spelling counts!!)
- "Remote Procedure Call (RPC) Helper", NOT the other rpc helper
- Double click to bring up the properties, Double check you should see the path and file
  C:\WINDOWS\system32\winnn32.exe
- Stop it then set to disable click apply then ok, exit services.
Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "begin removal" to allow AboutBuster to scan.
- Please wait while AboutBuster scans your computer for malicious files.
- If it asks if you would like to do a second pass, allow it to do so.
- Click "Exit" to exit AboutBuster.
Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
Run Hijackthis and place a check next to these items (if there)
- Then click fix checked.
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
  R3 - Default URLSearchHook is missing
  O2 - BHO: Class - {0880B42C-A5FF-7B56-F478-BFA831757B65} - C:\WINDOWS\system32\mfcpa.dll
  O2 - BHO: (no name) - {2A372304-1C61-0152-831B-4AB2CAB61E45} - (no file)
  O2 - BHO: (no name) - {2A5C9C87-FE71-3DB2-5032-894AACE38191} - (no file)
  O2 - BHO: (no name) - {6D4B3B5F-346E-5E06-6C9B-3AA2F96B789D} - (no file)
  O2 - BHO: (no name) - {6FB58235-41A2-D0E2-DD86-F03334B1E3F8} - (no file)
  O4 - HKLM\..\Run: [windd.exe] C:\WINDOWS\windd.exe
  O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
  O4 - HKCU\..\Run: [<ht] c:\WINDOWS\System32\<html>
  O4 - HKCU\..\Run: [<he] c:\WINDOWS\System32\<head>
  O4 - HKCU\..\Run: [<title>SupportSoft</tit] c:\WINDOWS\System32\<title>SupportSoft</title>
  O4 - HKCU\..\Run: [<meta http-equiv="Pragma" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Pragma" content="no-cache">
  O4 - HKCU\..\Run: [<meta http-equiv="no-cac] c:\WINDOWS\System32\<meta http-equiv="no-cache">
  O4 - HKCU\..\Run: [<meta http-equiv="Expires" content="] c:\WINDOWS\System32\<meta http-equiv="Expires" content="-1">
  O4 - HKCU\..\Run: [<meta http-equiv="Cache-Control" content="no-cac] c:\WINDOWS\System32\<meta http-equiv="Cache-Control" content="no-cache">
  O4 - HKCU\..\Run: [</he] c:\WINDOWS\System32\</head>
  O4 - HKCU\..\Run: [<bo] c:\WINDOWS\System32\<body>
  O4 - HKCU\..\Run: [<script language="javascri] c:\WINDOWS\System32\<script language="javascript">
  O4 - HKCU\..\Run: [location.replace("http://supportsoft.adelphia.net/sdcuser/default.as] c:\WINDOWS\System32\location.replace("http://supportsoft.adelphia.net/sdcuser/default.asp");
  O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
  O4 - HKCU\..\Run: [</bo] c:\WINDOWS\System32\</body>
  O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
  O4 - HKCU\..\Run: [ZBvnRidFV] msdroute.exe
  O15 - Trusted Zone: *.awmdabest.com
  O15 - Trusted Zone: *.frame.crazywinnings.com
  O15 - Trusted Zone: *.awmdabest.com (HKLM)
  O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
  O15 - Trusted IP range: 206.161.125.149
  O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winnn32.exe" /s (file missing)
Restart your computer normally to return to normal mode.
- Click Start, click Run, type msconfig in the Open box, and then click OK.
- click the boot.ini tab > Uncheck [ ]/Safeboot, apply > OK and restart windows,
- then choose Normal mode.
- When windows has restarted place a check in the
- [X] dont show this message or launch the system configurations utlity when windows starts.
Get a free online scan:
- Kaspersky Lab - Free Online scan:
  http://www.kaspersky.com/virusscanner
  Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
  Then choose: my computer: scan all your hard drives and mapped disks.
  when finished click save as text and post that in your reply.
Prepare your reply:
- Post a fresh HijackThis log And the "Ab LogFile.txt" which will be next to aboutbuster.exe.
- Please note any complications you had.

**tashi** · 2005-12-15, 02:36

Shep123 are you still requiring assistance?

**tashi** · 2005-12-17, 21:47

This topic will be archived.

Thread: Hijack this Log:

Thread Tools

Display

Hijack this Log:

After your steps

Posting Permissions