Hijacked browser2

Part 1 of 2
I have run Spybot 1.3, CW shredder and Adaware. I will post the scan from HijackThis in 2 parts as it is so long.

Logfile of HijackThis v1.97.7
Scan saved at 8:00:11 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\WeatherBug\Weather.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\HijackThis\Install.exe

Part 2 will follow

 

Hijacked browser 2

Part 2 of 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {79FCC22A-DA76-44FF-A4C0-CE6AE72CF911} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather] C:\Program Files\WeatherBug\Weather.exe 1
O4 - Startup: My DSL.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/19840c0b819db3161a22/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.851712963
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/Typography/Utility/1/WXP/EN-US/clearadj.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesLifestyleDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66094A7E-ACEE-4F0C-9A6F-3FACA371C221}: NameServer = 206.13.28.12 206.13.29.12

End of post

 

C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\Lanovation\Prism XL\PRISM XL.SYS

I think maybe you need to describe how this PC is being used. Those two are legit items but unusual except on a network and a machine that is doing a fair bit of the network controlling. If this is a small peer network, they could indicate a problem.

C:\WINNT\system32\fxssvc.exe

Again, a legit item used for faxing on 2K/XP systems. But a bit of a resource hog so the service should be set to manual if Microsoft Faxing is being used or to disabled if not. It can chew up some significant resources.

I'll leave the hijack specifics to the experts. I will say there is more interesting stuff running on this PC.

 

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

Optional>>>>>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alltheinternet.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alltheinternet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alltheinternet.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.alltheinternet.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com
Optional>>>>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
R3 - Default URLSearchHook is missing
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/19840c0b819db3...tzip/RdxIE2.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab



If you have unchecked items in msconfig, unsure of what they are, please recheck them, before rebooting and creating a new HJT log.

Unless you frequent investors.com, fix the following entry also.
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx

Suggest you see this link related to the CSLID for the pcpowerscan DPF, and remove all components mentioned that you find on the PC. DO NOT unregister any dll's as suggested. It's no longer safe to do so. Also recommend you scan with RAV. If any files are found infected, rescan then with autoclean box checked. If uncleanable, get a report and copy/paste it here.


Copy and paste the following command into the address bar then hit enter.

javascript:navigator.userAgent​

Copy the text of the resulting window and paste it here with your next reply and new HJT log.


We will take care of the remainder of cleanup after the above is completed.

 

Hijacked browser

Hijackthis Part 1 of 2

Went to this website CSLID for the pcpowerscan DPF; did not find anything related to your instructions.

Ran RAV without autoclean (forgot to set it); it identified files infected with W32.SQLSlammer.worm. I ran the Symantec W32.SQLSlammer.worm removal tool. It did not find any infected files. Also one temp file found to be infected with trojan downloader.

I ran a complete NAV system scan this AM. I have been very faithful about keeping Norton NAV updated using Intelligent Updater. Don’t know why RAV would identify infected files.

I checked some files in msconfig which I know to be spyware so they can be deleted. Others which I checked are unknown, while others like Black Ice, I want to get rid of.

I attempted to uninstall Black Ice some time ago, but due to unknown circumstances it would not completely uninstall. I stopped using Black Ice due to the fact that after the last update it stopped running frequently I am now running ZoneAlarm

Logfile of HijackThis v1.97.7
Scan saved at 10:34:59 AM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\WeatherBug\Weather.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\HijackThis\Install.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {79FCC22A-DA76-44FF-A4C0-CE6AE72CF911} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Si Meter] C:\PROGRA~1\SIMETE~1\SiMeter.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Search Bar Eq] "C:\Program Files\MySearch\bar\s4bareq.exe" /r
O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\intdel_2.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [FPZHU] C:\WINNT\FPZHU.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker "
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather] C:\Program Files\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WeatherAloud] C:\Program Files\WeatherAloud\WeatherAloud.exe –auto

Part 2 of 2 to follow

 

Hijacked browser 2

Part 2 of 2

O4 - HKCU\..\Run: [SurfSecret] C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe /min
O4 - HKCU\..\Run: [Smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from= "HXIUL.EXE" -to= "HXIUL.EXE" -run
O4 - HKCU\..\Run: [2Tray.exe] C:\PROGRA~1\IMAGEC~2\2tray.exe
O4 - Startup: BlackICE Protection.lnk = C:\Program Files\Black Ice\blackice.exe
O4 - Startup: c-program files-fastfolder-fastfolder by bb v323-fastfolder.LNK = ?
O4 - Startup: c-program files-filemap-filemap by bb v301-bootalert.LNK = C:\Program Files\FileMap\FileMap By BB v301\Bootalert.exe
O4 - Startup: Count Down Timer.lnk = C:\Program Files\Count2\PTCount2.exe
O4 - Startup: My DSL.lnk = ?
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: SmartBoardXP.lnk = C:\Program Files\Power Toys\SmartBoard XP\SmartBoardXP\Smtbrd32.exe
O4 - Startup: Update PowerGED.lnk = C:\Program Files\GenNet\PowerGED\WiseUpdt.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Black Ice\blackice.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.851712963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/Typography/Utility/1/WXP/EN-US/clearadj.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesLifestyleDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66094A7E-ACEE-4F0C-9A6F-3FACA371C221}: NameServer = 206.13.28.12 206.13.29.12

 

Hi Eleanor316 Hello

First Please answer the questions being asked so we know whats up
and comment or ask questions on all the suggestions made

I suggest this, go do that Rav online with auto fix select, for now do not trust
Norton or its affiliated online scans and tools.( i would certainly use them but also tools if needed from another site to)
and also get another from here
eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
Let the onlines clean, and if they cannot clean, let them delete/quarantine what ever they find. if youd like post there reports back here for us.


If you had problem's uninstalling blackice go redownload it
(disable za from starting with windws) and install again
(it will need to restart windows, always fallow those prompt) then uninstall it.
and re-enable ZA.

In addremove program uninstall
WhenUSave ,HelpExpress
anything MyWebSearch, mywat mywaysearch
Uninstall IEDriver from "Add/Remove Programs" in the Windows Control Panel.
Look for entries called 'IE Driver', TurboDownload and PopKiller.
and anything else in there you didnt specificly give the OK to install.

Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and Click OK.

are you possitive everything is updated, Cwsredder would have fixed
all those R1/s and R0's if it had been, please re-download another version and run it once more, remember Internet explorer needs to be closed when it is ran.

Then come back and make/post a new hijackthis log

 

Hijacked browser 2

Part 1 of 5
>do Rav online with auto fix select<
Ran Rav with autoclean on
Scan started at 6/28/2004 3:38:39 PM
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.235: "message.scr" - Win32/Netsky.P@mm -> Infected
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.324: "birth_doc.zip "->birth_doc.exe - Win32/Netsky.C.dam -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\istdnld.exe-TrojanDownloader:Win32/IstBar.AP -> Infected
C:\Program Files\Black Ice\evd003.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\evd004.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\evd005.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\evd006.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\evd007.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\evd013.enc - Win32/SQLSlammer.worm -> Infected
C:\Program Files\Black Ice\log027.enc->(part0002->(part0000->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\WINNT\system32\AgdW7N.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\AxsMO.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\BzfZe.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\Fbf0KHc.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\JceK6AX.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\LixY.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\LwcDN77j.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\MtzJ63G.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\WofF5.exe - Backdoor:Win32/VB.QQ -> Infected
Scanned
Objects: 122936
Directories: 9213
Archives: 11394
Size(Kb): -1238184
Infected files: 19
Found
Viruses found: 7
Suspicious files: 0
Disinfected files: 0
Mail files: 8174

As you can see the so-called infected files were not cleaned.
Following the RAV scan I ran the Symantec virus removal tools for W32SQLslammer.worm and W21.NetskeyC .dam which found NO infected files
Why would RAV show infected files, Norton hasn’t?

Part 2 of 5 to follow

 

Hijacked browser 2

Part 2 of 5
>run eTrust AV Web Scannewith autoclean<:
No infected files were found in this scan

>If you had problems uninstalling blackice redownload it
and install again<
I am unable to re-install Black Ice as my subscription has expired.

>In add/remove program uninstall WhenUSave ,HelpExpress
anything MyWebSearch, mywat mywaysearch. Uninstall IEDriver from "Add/Remove Programs" in the Windows Control Panel. Look for entries called 'IE Driver', TurboDownload and PopKiller and anything else in there you didnt specificly give the OK to install<.
None of these programs appeared in Add/Remove programs. I had followed noahdfear’s instructions to go to msconfig and check any items I was unsure about. All the programs listed above had been removed with Spybot 1/3 scan or AdAware 6 updated to 6-27-04., but still remain in msconfig startup menu.

BTW, every time I run Spybot it finds DSO exploit and IgetNet even though Spybot was set to fix them. I understand from elsewhere on the web that these two cannot currently be fixed by Spybot. Could they be causing my problem?

I also ran Spy Sweeper v2 and found a large number of adware that hadn’t been found by either Adaware or Spybot. These were removed. I wondering why they showed up only with Spy Sweeper and not on either Adaware or Spybot?.

>Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all
except compress old files and Click OK.<
Done


>are you possitive everything is updated<
I am ABSOLUTELY SURE that NAV is updated. I use Intelligent updater almost daily. Spybot and Adaware are also updated whenever available. All critical Windows updates have been installed as well.

>Cwsredder would have fixed>
CW Shredder has been run multiple times and has never found a problem.

Part 3 of 5 to follow

 

Hijacked browser 2

Part 3 of 5
Logfile of HijackThis v1.97.7
Scan saved at 6:01:58 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\WeatherBug\Weather.exe
C:\WINNT\System32\MDM.EXE
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\Install.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {79FCC22A-DA76-44FF-A4C0-CE6AE72CF911} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [Weather] C:\Program Files\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: My DSL.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime –http://www.pestscan.com/scanner/axscannerruntime.cab

Part 4 of 5 to follow

 

Hijacked browser 2

Part 4 of 5
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) –
Part 5 of 5 to follow

 

Hijacked browser 2

Part 5 of 5
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.851712963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/Typography/Utility/1/WXP/EN-US/clearadj.CAB
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesLifestyleDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66094A7E-ACEE-4F0C-9A6F-3FACA371C221}: NameServer = 206.13.28.12 206.13.29.12

End of post - Hijacked browser 2

 

Eleanor316 - I know you have had a lot of 'do this, do that' stuff thrown at you. Maybe I've overlooked the results but did you run the piece quoted above that Dave asked for?

Also, it would still be helpful for a few of these things to know what role this machine plays and on what size network.

 

Hijacked browser 2

Newt:
This is my personal computer, not on a network
Windows XP HE
NTFS
38 GB HD
256 MB RAM

This is what I got after typing javascript:navigator.userAgent into the address field.

“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {9EF75919-C517-4FAF-9E57-0866ABC92917}; .NET CLR 1.0.3705; .NET CLR 1.1.4322)â€

Anything else you need to know to help me?

I consider myself a intermediate pc user. First learned with DOS 1987.
Currently I tutor and troubleshoot in my retirement community.
This problem really has me stumped. Haven't the foggiest notion how it happened. Eager for a solution.

 

I know the result you got isn't a good thing but that's as far as I go with it. Security as it is done here is normally beyond me.

A clean system should give you something like
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
when you run that string. The extra stuff indicates something bad got you but I'm betting you already knew that.

These items are, as I noted way back in this thread, legit on some systems but almost certainly not needed on yours. I'd suggest stopping them and seeing if any problems arise. I really think they are just chewing up resources and at least the first one probably loaded as a by-product of something you installed or set up.

C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Common Files\Lanovation\Prism XL\PRISM XL.SYS

Also, the faxing bit will depend on how you use the PC but
C:\WINNT\system32\fxssvc.exe
appears to be autorunning whenever you start and that isn't needed. Required to do faxing but otherwise it's a major hog.

tcpsvcs.exe & fxssvc.exe will show up in your list of running services so start~run~services.msc and locate each of them (probably not those names but you can right-click and check properties for any running service and it should show you the .exe). When you have them located, right-click again and click Stop then back into properties and set each to manual start.

Not sure about specifics for stopping the Lanovation piece but if no one has posted a how-to by tomorrow I'll research some more.

As I said, these are not any sort of malware but are things you don't need to have taking up your PC's resources when they probably won't be offering any benefit.

One of the security gurus will deal with the rest of the issues.

You know, I'm getting old enough to retire. Just too broke. Ah well.

 

Hijacked browser 2

Newt,
>The extra stuff indicates something bad got you but I'm betting you already knew that.<
Oh yeah, that’s why I’ve spent so much time on this BBS lately.

>C:\WINNT\system32\fxssvc.exe<
I did set this one to manual.

Lack of resources really isn’t a problem for me. When I initially boot up my free RAM is at around 90%, so I’m not going to stop anything else.

Thanks for your input. Hopefully either Lonny or noahdfear will respond to my last (long) post.

 

Hi Eleanor316

It looks as though you have again unchecked the items in msconfig. Recheck them and reboot. Scan again with HJT and place a check next to the following entries. Close ALL other windows and click fix. I have compared the logs with items checked and unchecked and have included everything you unchecked to be fixed. They are but autorun entries anyway and the programs can be run manually. Should you decide to again autorun any of them, open HJT and click config, then backup and restore the entry you want.

O3 - Toolbar: (no name) - {79FCC22A-DA76-44FF-A4C0-CE6AE72CF911} - (no file)O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Si Meter] C:\PROGRA~1\SIMETE~1\SiMeter.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Search Bar Eq] "C:\Program Files\MySearch\bar\s4bareq.exe" /r
O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\intdel_2.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [FPZHU] C:\WINNT\FPZHU.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker "
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKCU\..\Run: [WeatherAloud] C:\Program Files\WeatherAloud\WeatherAloud.exe –auto
O4 - HKCU\..\Run: [SurfSecret] C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe /min
O4 - HKCU\..\Run: [Smileycons] C:\Program Files\Smileycons\smileycons.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from= "HXIUL.EXE" -to= "HXIUL.EXE" -run
O4 - HKCU\..\Run: [2Tray.exe] C:\PROGRA~1\IMAGEC~2\2tray.exe
O4 - Startup: BlackICE Protection.lnk = C:\Program Files\Black Ice\blackice.exe
O4 - Startup: c-program files-fastfolder-fastfolder by bb v323-fastfolder.LNK = ?
O4 - Startup: c-program files-filemap-filemap by bb v301-bootalert.LNK = C:\Program Files\FileMap\FileMap By BB v301\Bootalert.exe
O4 - Startup: Count Down Timer.lnk = C:\Program Files\Count2\PTCount2.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: SmartBoardXP.lnk = C:\Program Files\Power Toys\SmartBoard XP\SmartBoardXP\Smtbrd32.exe
O4 - Startup: Update PowerGED.lnk = C:\Program Files\GenNet\PowerGED\WiseUpdt.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Black Ice\blackice.exe
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Now in safe mode, you will need to show hidden files and folders.

Open C:\Program Files and delete the folder Black Ice and any others related to the above entries, that you do not want, that are present, such as;

Save
Media
SiMeter??? Not sure what this is.
SuperBar
Power Scan
MyWebSearch
n-CASE
ISTsvc
Inet Delivery
EbatesMoeMoneyMaker
ClearSearch
AutoUpdater


Open C:\WINNT and delete the files uptodate.exe and FPZHU.exe.

Open C:\WINNT\system32 and delete the following files and folders if present.

AgdW7N.exe
AxsMO.exe
BzfZe.exe
Fbf0KHc.exe
JceK6AX.exe
LixY.exe
LwcDN77j.exe
MtzJ63G.exe
WofF5.exe


Suggest you also get rid of these files.

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.235: "message.scr " - Win32/Netsky.P@mm -> Infected
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.324: "birth_doc.zip "->birth_doc.exe - Win32/Netsky.C.dam -> Infected

It wouldn't hurt anything to go to C:\WINNT\Downloaded Program Files, select all and delete. They are all ActiveX controls placed there by various programs, that allow them to run/install/update, and will be reinstalled whenever needed. Many of them will never be used again anyway. (it will shorten your log too )

Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, scan again with RAV.

Then, download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here, along with a new HijackThis log and RAV report.

PS. The reason RAV may identify a virus when Norton doesn't is the same as Ad-aware finding things Spybot doesn't. They all have a different set of reference files.

 

Hijacked browser 2

Part 1 of 3


Part 1 of 3
Hi noahdfear:
Just a few comments before I post the logs you requested.

I have lost my Quick Launch bar. Checked it in Taskbar and Start Menu Properties, but when I attempt to launch it through Toolbars I get the message “Cannot create toolbar.†How do I get it back?

Read in the paper today about the MS flaw. Wondering why we had to find it out from “the federal government cyberdefense experts†(quote from NewsDay) and not directly from Microsoft. My Norton log shows I’m protected from the JS.Scob trojan, but wonder if this business with the hijacked browser could be related to the same MS flaw.

Should I switch to Netscape or some other web browser?

Now to my ‘assignment’

I ran HJT and checked all the entries you recommended, and fixed them.

I did all of the following:
>Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.
Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.
Now in safe mode, you will need to show hidden files and folders.
Open C:\Program Files and delete the folder Black Ice and any others related to the above entries, that you do not want, that are present, such as;<

However, the following folders did not exist in C:\Program files even though it was set
to show hidden files and folders
>Save
Media
SiMeter??? Not sure what this is.
SuperBar
Power Scan
MyWebSearch
n-CASE
ISTsvc
Inet Delivery
EbatesMoeMoneyMaker
ClearSearch
AutoUpdater<

I could not find:
>Open C:\WINNT and delete the files uptodate.exe and FPZHU.exe.
Open C:\WINNT\system32 and delete the following files and folders if present.
AgdW7N.exe
AxsMO.exe
BzfZe.exe
Fbf0KHc.exe
JceK6AX.exe
LixY.exe
LwcDN77j.exe
MtzJ63G.exe
WofF5.exe<

I could not delete the following files as I could not separate them from the outlook backup.pst file without deleting all my personal file folders.
>C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.235: "message.scr" - Win32/Netsky.P@mm -> Infected
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.324: "birth_doc.zip "->birth_doc.exe - Win32/Netsky.C.dam -> Infected<

I followed the rest of your suggestions.
Following is the Rav file:
Scan started at 6/30/2004 10:13:28 PM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.511: "message.scr" - Win32/Netsky.P@mm -> Infected
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook backup.pst->Attachment.600: "birth_doc.zip "->birth_doc.exe - Win32/Netsky.C.dam -> Infected
C:\WINNT\system32\AgdW7N.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\AxsMO.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\BzfZe.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\Fbf0KHc.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\JceK6AX.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\LixY.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\LwcDN77j.exe - Backdoor:Win32/VB.QQ -> Infected
C:\WINNT\system32\MtzJ63G.exe - Backdoor:Win32/VB.NB -> Infected
C:\WINNT\system32\WofF5.exe - Backdoor:Win32/VB.QQ -> Infected
Scanned
Objects: 81786
Directories: 8728
Archives: 11333
Size(Kb): -1616228
Infected files: 11
Found
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 1694

Log for VX2.BetterInternet File Finder
Files Found---
C:\WINNT\System32\6ao4svc.dll
C:\WINNT\System32\6bo4svc.dll
C:\WINNT\System32\6co4svc.dll
C:\WINNT\System32\6eo4svc.dll
C:\WINNT\System32\6fo4svc.dll
C:\WINNT\System32\6go4svc.dll
C:\WINNT\System32\6io4svc.dll
C:\WINNT\System32\6jo4svc.dll
C:\WINNT\System32\6lo4svc.dll
C:\WINNT\System32\6mo4svc.dll
C:\WINNT\System32\6no4svc.dll
C:\WINNT\System32\6oo4svc.dll
C:\WINNT\System32\6po4svc.dll
C:\WINNT\System32\6qo4svc.dll
C:\WINNT\System32\6ro4svc.dll
C:\WINNT\System32\6so4svc.dll
C:\WINNT\System32\6vo4svc.dll
C:\WINNT\System32\6wo4svc.dll
C:\WINNT\System32\6yo4svc.dll
C:\WINNT\System32\6zo4svc.dll
C:\WINNT\System32\afsnt.dll
C:\WINNT\System32\ajmparse.dll
Guardian Key--- is called:
User Agent String---
{9EF75919-C517-4FAF-9E57-0866ABC92917}

End of Part 1 of 3

 

Hijacked browser 2

Part 2 of 3

Logfile of HijackThis v1.98.0
Scan saved at 11:51:40 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.contracostatimes.com/mld/cctimes
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bayarea.com/mld/cctimes/
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather] C:\Program Files\WeatherBug\Weather.exe 1
O4 - Startup: Directcd.lnk = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
O4 - Startup: My DSL.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

End of Part 2 of 3

 

Hijacked browser 2

Part 3 of 3

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{66094A7E-ACEE-4F0C-9A6F-3FACA371C221}: NameServer = 206.13.28.12 206.13.29.12

End of Part 3 of 3

In the meantime, my browser is still highjacked and I am very frustrated..