Hello, I've been hijacked. HJT log need review

[cdarr]

I need some help please with fixing this. My homepage stays at #37049, I guess a different variation. I cannot start IE anywhere but in admin account.
CW Shredder asks about INTELSPN.EXE but I'm not sure whether to delete it.

Here is My HJT log

What do You guys look for?

Thanks for any input.

Chris

Logfile of HijackThis v1.97.7
Scan saved at 9:22:29 PM, on 06/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\system32\iech.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iech.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\appki.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lhzrc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lhzrc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lhzrc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7209F9C3-6DF8-77E8-2A99-C2E455B54257} - C:\WINDOWS\system32\mfctn32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlnq32.exe] C:\WINDOWS\system32\atlnq32.exe
O4 - HKLM\..\Run: [appki.exe] C:\WINDOWS\appki.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [iech.exe] C:\WINDOWS\system32\iech.exe
O4 - HKLM\..\RunOnce: [sysol32.exe] C:\WINDOWS\system32\sysol32.exe
O4 - HKLM\..\RunOnce: [addbl32.exe] C:\WINDOWS\addbl32.exe
O4 - HKLM\..\RunOnce: [ntbd32.exe] C:\WINDOWS\ntbd32.exe
O4 - HKLM\..\RunOnce: [winae.exe] C:\WINDOWS\system32\winae.exe
O4 - HKLM\..\RunOnce: [syski32.exe] C:\WINDOWS\system32\syski32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2493b03ab573ad3...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82

[Pancake]

Hi
Make sure to have your system set to show hidden files and folders as per http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Close ALL Browser windows then go to Start/Run and type in taskmgr then click "OK".
If listed, highlight the file/s below and then click "End Process":

C:\WINDOWS\system32\iech.exe
C:\WINDOWS\appki.exe


Again go to Start/Run and type in Services.msc then click "OK".
Look for the service called "Network Security Service".
Double-click on it and select disable, stop and click "Apply".
Close ALL windows and get HijackThis to fix all the the files that are listed below.....

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lhzrc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lhzrc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lhzrc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lhzrc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {7209F9C3-6DF8-77E8-2A99-C2E455B54257} - C:\WINDOWS\system32\mfctn32.dll
O4 - HKLM\..\Run: [atlnq32.exe] C:\WINDOWS\system32\atlnq32.exe
O4 - HKLM\..\Run: [appki.exe] C:\WINDOWS\appki.exe
O4 - HKLM\..\RunOnce: [iech.exe] C:\WINDOWS\system32\iech.exe
O4 - HKLM\..\RunOnce: [sysol32.exe] C:\WINDOWS\system32\sysol32.exe
O4 - HKLM\..\RunOnce: [addbl32.exe] C:\WINDOWS\addbl32.exe
O4 - HKLM\..\RunOnce: [ntbd32.exe] C:\WINDOWS\ntbd32.exe
O4 - HKLM\..\RunOnce: [winae.exe] C:\WINDOWS\system32\winae.exe
O4 - HKLM\..\RunOnce: [syski32.exe] C:\WINDOWS\system32\syski32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2493b03ab573ad...ip/RdxIE601.cab


After that is done go into Safe Mode and remove the colored file/s from your main directory.

C:\WINDOWS\system32\atlnq32.exe
C:\WINDOWS\appki.exe
C:\WINDOWS\system32\iech.exe
C:\WINDOWS\system32\sysol32.exe
C:\WINDOWS\addbl32.exe
C:\WINDOWS\ntbd32.exe
C:\WINDOWS\system32\winae.exe
C:\WINDOWS\system32\syski32.exe


Reboot the computer.
Download "Cwsfix" from the list below.
Then unzip and double click the attached reg file and answer yes to the prompt.

[cdarr]

I must have missed a file because it came back. Popup immediately. I did run adaware before trying your suggestion, so it may have removed some of the files I could not find. How do you know which files to remove. I saw a syshd32.exe did not know if it should go also.

Network Sec Svc gave me an error :Config mgr: A reqd entry in the reg is missng or an attempt to write failed. <OK> then

The system cannot find the file specified <OK>

should I run adaware and manually look for all of the files and delete them in safe mode?

Here is a new log file.
Logfile of HijackThis v1.97.7
Scan saved at 7:39:23 AM, on 06/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\syshd32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cyrpx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cyrpx.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cyrpx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cyrpx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cyrpx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cyrpx.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D5058A20-A9B3-4BE0-AA2D-1FE9375BA5E6} - C:\WINDOWS\ipts.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ipts.exe] C:\WINDOWS\ipts.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82


Thank you for your help.

[Pancake]

Yes take out that file and then these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cyrpx.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cyrpx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cyrpx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cyrpx.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cyrpx.dll/sp.html#37049
O4 - HKLM\..\Run: [ipts.exe] C:\WINDOWS\ipts.exe

follow the same intruction as before.When all is done then run Adaware.

[cdarr]

hey pancake thanks for your help, still have not zapped it.
Is there a list, or how do you tell when you see a bad file?

Here is the uptodate HJT file:

Logfile of HijackThis v1.97.7
Scan saved at 9:56:11 PM, on 06/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\addbo.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\d3gq32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Hijack\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {ADCAF3DF-AFF5-EA8A-4E12-1BF8D0029FBF} - C:\WINDOWS\system32\ipol.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [d3gq32.exe] C:\WINDOWS\system32\d3gq32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82


What is addbo.exe and d3gq32.exe , and ipol.dll ? will it hurt to delete the no name BHO? What is a BHO anyway? How about the spool\driver namedhpztsb04.exe What is nwiz.exe and d3gq32.exe ?

I think from reviewing posts it is getting pretty obvious that the file names continually change. Does it do this every reboot, or startup of IE? I still have the "only the best" popup. Biggest challenge is IE get an explorer error starting in any user other than admin account. I was told that using my computer hooked with an always on internet access left it more vulnerable, so I made user accounts with less privileges for day to day use.


Thanks for all of your help.

Chris


ps. can I get rid of the "017"'s at the end of the log file? Thanks

[Pancake]

Hi.keep at it...seems to be a hidden one somewhere.When finished run "Adaware"
This..named hpztsb04.exe is a printer driver and this..nwiz.exe is Nvidia helper file.What is a BHO ...

Make sure to have your system set to show hidden files and folders.. Check Here

Close ALL Browser windows then go to Start/Run and type in taskmgr then click "OK".
If listed, highlight the file/s below and then click "End Process":


C:\WINDOWS\system32\addbo.exe
C:\WINDOWS\system32\d3gq32.exe


Again go to Start/Run and type in Services.msc then click "OK".
Look for the service called "Network Security Service".
Double-click on it and select disable, stop and click "Apply".
Close ALL windows and get HijackThis to fix all the the files that are listed below.....

O4 - HKLM\..\Run: [d3gq32.exe] C:\WINDOWS\system32\d3gq32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/active...ol_v1-0-3-0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: Domain = ionet.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{482DCC7F-489E-4521-B0EE-8545A2AAF2BC}: NameServer = 206.41.128.10,206.41.131.3,207.217.77.82



After that is done go into Safe Mode and remove the colored file/s from your main directory if present.

C:\WINDOWS\system32\addbo.exe
C:\WINDOWS\system32\d3gq32.exe

Reboot the computer.
Download "Cwsfix" from the list below.
Then unzip and double click the attached reg file and answer yes to the prompt.Reboot and post a fresh HJT log.Thanks.

[cdarr]

Ok, did all. Came back as soon as I started IE again. Here are logs for before and after starting IE. What is the ippb32.dll file, also saw the same with .exe.


Before start IE

Logfile of HijackThis v1.97.7
Scan saved at 7:56:08 AM, on 06/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Hijack\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {55E7FCAD-77C1-35FF-8206-D7405C6CDFAB} - C:\WINDOWS\ippb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab

After starting IE:

Logfile of HijackThis v1.97.7
Scan saved at 7:58:12 AM, on 06/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\sysox32.exe
C:\WINDOWS\d3xm.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqzwq.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqzwq.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqzwq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqzwq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tqzwq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqzwq.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {55E7FCAD-77C1-35FF-8206-D7405C6CDFAB} - C:\WINDOWS\ippb32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [appks32.exe] C:\WINDOWS\system32\appks32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab


Thanks again for all of your help. I don't want to get to delete happy, maybe there is a list of what not to remove, or can I just copy to a floppy before deleting?

Chris

[Pancake]

It keeps mutating and I need to find out why and where its hidding.Hjt should create backup files before you delete anything so it can be reinstalled if needed.

[cdarr]

I dont seem to be able to post replies.

[cdarr]

I don't know what happened, the page told me I was not logged in when I hit "submit reply" this is the third time i have typed this msg.

thanks for all of your help

I ran AAW and went to safe mode and deleted all entries and some that looked like mutations/ similar. I have not tried to use IE from the admin. acct. yet, it is working in the user acct. If the infection reappears from admin I cant use IE in the user acct.

Let me know if I need to post any more logs.

FYI here is one running from the user account:
Logfile of HijackThis v1.97.7
Scan saved at 10:54:21 AM, on 06/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {08A1430F-1FA2-11D2-8084-0080C851E834} (GraphCtl Class) - http://www.berkeleypumps.com/cabfiles/graph.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.266712963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab


Again thanks for your help.

Chris

[Pancake]

Cant see anything wrong now.Your log is clean