Hey Really the only thing i can see is: C:\Program Files\Symantec AntiVirus CE 9.0.1\VPC32.EXE Tick that and remove. Apart from that, looks pretty good. CJC
cjc, even though it says C:\Program Files\Symantec AntiVirus CE 9.0.1\VPC32.EXE on my log, i can't seem to find it to tick off on the actual program. do you know why this is or what i can do?
Hey You dont need to go into the Program to take the 'Tick' out or put the tick in. Open up HiJackThis and in the list, put a tick in the box at the beginning of the name then click on Fixed Selected. CJC
Having a quick look, here is what looks like the problem. When i first opened this thread, i got a notification about the HTML containing BloodHound and when i went to reply, the same thing. Have you ran Adaware, Spybot and Housecall yet ? C:\WINDOWS\iau.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.189.120/winsearchie32.chm::/winse archie32.exe CJC
Hi CJC. thanks for the quick response. Yes, I have run ad-aware and spybot several times. spybot keep finding DSO exploits so I ran it a few times until I learned that they are false positives. I ran housecall once and it found and removed two trojans.
Hi CJC I fixed the 6 files you suggested plus the two ROs listed and ran both ad-aware and spybot again. I am not sure what to do with the C:\WINDOWS\iau.exe
Just found this page when I did a search on that file http://securityresponse.symantec.com/avcenter/venc/data/adware.easysearch.html
First run HJT and remove the iau.exe then fix selected, now If u do what that page says, you should get rid of that, restart your computer and run HJT again and see if its still there, if not, you are pretty clean by the looks of it. If you are unsure, re-post a clean log after you have done all this. CJC
Thanks CJC pointing out that iau.exe file really did the trick. I followed the directions in that norton fix and that did the trick. scanned norton in safe mode and it found the bloodhound. Only had to edit the last file in the registry because of the fixes I made after the HJT scan I think and I'm good now. WOOO HOOO!!! thanks so much for the help I know where to come now if I run in to any more problems. Have a nice holiday CJC!!!!!!!! Peace, Doc
HELP!!!!!!!!!!! Calling CJC what the heck happened? I came back to thank you and the norton alert came back on again for the bloodhound and I got the same problem all over again. I edited out my log and that stopped the message from coming back up. I repeated the steps that I thought fixed the problem and this time norton didnt find anything. how bizarre. I am going to run HJT again and fix the ones you suggested. any idea what happened?
Here is my newest scan Logfile of HijackThis v1.98.2 Scan saved at 9:22:25 PM, on 12/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Norton AntiVirus\navapsvc.exe c:\Program Files\Norton Personal Firewall\NISUM.EXE C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe c:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\PROGRA~1\AIM\aim.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\WINDOWS\FSScrCtl.exe C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\Common Files\Aol\aoltpspd.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - Startup: HP Organize.lnk = ? O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Event Reminder.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O9 - Extra button: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) (HKCU) O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E53F52B0-0BFB-48D6-AC43-26728D791808}: NameServer = 205.188.146.146
Hey Glad you got it sorted the first time. I get the same message i have got the Bloodhound Exploit when i open this thread, so obviously its attached to this thread, ill get somebody to check that out. But basically its nothing to worry about, i have checked my system over and it looks ok, so it should be ok. As for the log, it looks pretty clean from what i can see. Have a nice holiday CJC
Yeah, I went back and edited out my first log. That seemed to stop the message for some reason (is that possible?)but I started having the same problem after that. I ran norton again in safe mode and checked the registry and didnt see anything. still getting the same problem. you see in the log the othersearch.com page? that is the page that keeps hi-jacking my IE homepage. I ran norton in safe mode a second time and it found a bloodhound. checked the registry like they recommended and again found nothing. please check one more scan and let me know what you think I need to do. I was able to delete the iau.exe file though.
Logfile of HijackThis v1.98.2 Scan saved at 7:54:37 AM, on 12/12/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Norton AntiVirus\navapsvc.exe c:\Program Files\Norton Personal Firewall\NISUM.EXE C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe c:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\PROGRA~1\AIM\aim.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\FSScrCtl.exe C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\Common Files\Aol\aoltpspd.exe C:\WINDOWS\notepad.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - Startup: HP Organize.lnk = ? O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Event Reminder.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O9 - Extra button: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E1D10B6C-B7F4-4B78-A950-919579A94B99} - (no file) (HKCU) O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E53F52B0-0BFB-48D6-AC43-26728D791808}: NameServer = 205.188.146.146
now I am getting that bloodhound alert message since posting the new log...weird. I am thinking that I got rid of the bloodhound. I stillhave the homepage hijacking problem but I am not getting flooded with adware now like before. I found this page http://research.pestpatrol.com/HowTo/How_To_Clear_a_Hijack.asp maybe that is my problem now. oh my. what a crazy few days.
well..that didnt work. I edited the registry and it came right back going to try this next http://www.cexx.org/hphijack.htm at least the bloodhound problem is gone.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.othersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe Ok remove those. Once thats done, go into Internet Explorer then set your homepage. Restart your computer and see if your homepage is still there. CJC
YAAAY!!!!! That worked. I logged off and on about 10 times and the homepage stayed. Before it got hijacked after 3 or 4 times. Is this nightmare really over? I sure hope. here is another HJT log...clean? I got a few things starting at startup like a weather bug and the HP info center and the AIM I would like to stop. just edit those out too? I also got a error coming up on start up, something about a module missing for wild tangent not sure what that is. hahaha aint computers crazy?
