• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

is there a way to disable IE from connecting?

D

delussional77

Member
So recently i've gotten infected with a virus or am having a really bad case of spyware. I've been using Mozilla for a year but since it doesn't work for 100% of the applications i need it too (like my college grades!) i still need to rely on IE. But since i get so many pop-ups i'm hoping i can just disable IE from connecting until i reprompt it to. Anyone know if this is possible and please explain how to do it. Spybot, Norton, AdAware, and HijackThis (if i could ever figure out how to use it) haven't really helped the problem. Thanks.
 
Can you tell more details about what Spybot, Ad-Aware, Norton and HJT find when they scan? Names of the stuff? Look in Norton > Reports > Quarantine and also Activity Logs (I think that's what it's called) and see what it's detecting, by name.
 
Here's my HijackThis log...which i am at a loss to figure out what is unnecessary and what is. Sorry it's so long.

Logfile of HijackThis v1.97.7
Scan saved at 1:32:05 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\rqpgewn.exe
C:\WINDOWS\system32\gearsec.exe
C:\documents and settings\owner\local settings\temp\St.exe
C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\navapsvc.exe
C:\documents and settings\owner\local settings\temp\OznHfdC.exe
C:\WINDOWS\System32\ati3d2ag.exe
C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\AdvTools\NPROTECT.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM95\AIM9513036test\aim.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\Program Files\USEFUL PROGRAMS\Ultra Mon\UltraMon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\OttnN3R.exe
C:\WINDOWS\System32\Dzg0p5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UTILITIES\TuneUp Utilities\Integrator.exe
C:\Program Files\UTILITIES\TuneUp Utilities\DiskCleaner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://psdsei.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://psdsei.t.rack.cc/hp.php (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\3VkGw1V2A.dll
O2 - BHO: (no name) - {EBC8FC76-609F-1916-E859-3B76676C56C2} - C:\WINDOWS\System32\ica.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTIVI~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Zsc8Fh4Fe] C:\WINDOWS\rqpgewn.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [St] C:\documents and settings\owner\local settings\temp\St.exe
O4 - HKLM\..\Run: [¢?¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
O4 - HKLM\..\Run: [OznHfdC] C:\documents and settings\owner\local settings\temp\OznHfdC.exe
O4 - HKLM\..\Run: [e4bcfefd6914] C:\WINDOWS\System32\ati3d2ag.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\UluCub.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢?¸K0¨4W
}ïÁzî?aaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\AIM9513036test\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Kynoot] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\MEDIA\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\USEFUL PROGRAMS\Ultra Mon\UltraMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Run WinHTTrack (HKLM)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/...cAdv.cab?1091891984156
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.micros...l.CAB?37900.3281828704
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com...cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/...549BE2704/clearadj.cab
 
I see you are using an outdated version of HJT. Can you go ahead and grab the current version from here (a Zip file).

Edit: also, out of curiosity, what exact version of Norton Antivirus do you use?

If it were me, I'd nuke the Windows installation and start fresh. I made a page with suggestions for securing your new Windows installation. Look at the Ongoing prevention suggestions. Follow them all and you are going to make life very hard for spyware to install accidentally or behind your back. If you insist on installing what you call "Useful Programs" then you may still let the demons out of the box yourself, however.

It's not easy to persuade people to actually run a Limited account as their daily driver (oh dear, that wouldn't be convenient :roll: ), but I urge you to take that step and at least try it out. No, you won't be able to install stuff without right-clicking it and choosing Run As... and using an Admin-class account's credentials. But neither will a virus/malware/spyware that's hijacked your account. 🙂 ~ ah so, grasshoppah...
 
Originally posted by: mechBgon

It's not easy to persuade people to actually run a Limited account as their daily driver (oh dear, that wouldn't be convenient :roll: ), but I urge you to take that step and at least try it out. No, you won't be able to install stuff without right-clicking it and choosing Run As... and using an Admin-class account's credentials. But neither will a virus/malware/spyware that's hijacked your account. 🙂 ~ ah so, grasshoppah...
Click to expand...

lol... sometimes you can't even do the run as.. just gotta switch user names... BUT IT DOES WORK!!!!!!

i cannot stress it any more than that... my friend was constantly getting a virus (even after i reformated) she constantly got spyware and whole rack of crap. switched it over to a limited account and i havn't heard from her since.
 
Hello delussional77,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://psdsei.t.rack.cc/sp.php (obfuscated)
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://psdsei.t.rack.cc/hp.php (obfuscated)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://psdsei.t.rack.cc/hp.php (obfuscated)
  • R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  • R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
  • R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
  • F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
  • O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
  • O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - (no file)
  • O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
  • O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
  • O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\3VkGw1V2A.dll
  • O2 - BHO: (no name) - {EBC8FC76-609F-1916-E859-3B76676C56C2} - C:\WINDOWS\System32\ica.dll
  • O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
  • O4 - HKLM\..\Run: [sys] regedit -s sys.reg
  • O4 - HKLM\..\Run: [Zsc8Fh4Fe] C:\WINDOWS\rqpgewn.exe
  • O4 - HKLM\..\Run: [St] C:\documents and settings\owner\local settings\temp\St.exe
  • O4 - HKLM\..\Run: [¢?¸K0¨4W
    }ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
  • O4 - HKLM\..\Run: [OznHfdC] C:\documents and settings\owner\local settings\temp\OznHfdC.exe
  • O4 - HKLM\..\Run: [e4bcfefd6914] C:\WINDOWS\System32\ati3d2ag.exe
  • O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\UluCub.exe
  • O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  • O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
  • O4 - HKLM\..\Run: [¢?¸K0¨4W
    }ïÁzî?aaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
  • O4 - HKCU\..\Run: [Kynoot] C:\WINDOWS\System32\??plorer.exe
  • O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  • O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
  • O9 - Extra button: WeatherBug (HKCU)
  • O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]TV Media
3.Restart into normal windows

Notes

  • 1. Repost a new log using V1.98 of HJT
 
lol... sometimes you can't even do the run as.. just gotta switch user names... BUT IT DOES WORK!!!!!!
Click to expand...
Incidentally, if Run As doesn't work using the GUI, then change the Start In path of the shortcut to a directory where the Limited account has access to, like C:\Documents and Settings\*username*\ .
 
Wow fellas, i just woke up so i haven't had any time to make the changes you stated. That limited account sounds like a great idea and i'm going to try that. I have posted the new HijackThis log from the newest version. I don't think there are any extra things in it though. Thanks so much, you guys are great.


Logfile of HijackThis v1.98.2
Scan saved at 10:19:59 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\rqpgewn.exe
C:\WINDOWS\system32\gearsec.exe
C:\documents and settings\owner\local settings\temp\St.exe
C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\navapsvc.exe
C:\documents and settings\owner\local settings\temp\OznHfdC.exe
C:\WINDOWS\System32\ati3d2ag.exe
C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\AdvTools\NPROTECT.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM95\AIM9513036test\aim.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\Program Files\USEFUL PROGRAMS\Ultra Mon\UltraMon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\OttnN3R.exe
C:\WINDOWS\System32\Dzg0p5.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\UTILITIES\TuneUp Utilities\Integrator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://psdsei.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://psdsei.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://martfinder.com/dpindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://psdsei.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://psdsei.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\3VkGw1V2A.dll
O2 - BHO: (no name) - {EBC8FC76-609F-1916-E859-3B76676C56C2} - C:\WINDOWS\System32\ica.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\ANTIVIRUS SPYWARE\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTIVI~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Zsc8Fh4Fe] C:\WINDOWS\rqpgewn.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [St] C:\documents and settings\owner\local settings\temp\St.exe
O4 - HKLM\..\Run: [¢?¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
O4 - HKLM\..\Run: [OznHfdC] C:\documents and settings\owner\local settings\temp\OznHfdC.exe
O4 - HKLM\..\Run: [e4bcfefd6914] C:\WINDOWS\System32\ati3d2ag.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\UluCub.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢?¸K0¨4W
}ïÁzî?aaøC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\rqpgewn.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\AIM9513036test\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Kynoot] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\MEDIA\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\USEFUL PROGRAMS\Ultra Mon\UltraMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\AIM9513036test\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...suite/autocomplete.cab

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top