0

Iv'e just purchased Norton 2005, installed, updated, scanned, and cleaned........plus updated Spybot, AdAware, ran both and cleaned. I'm in good shape, except for 9 popups. They don't bombard me while I'm surfing, usually just when it sets idle for a few hours (I'm on cable). Popups include "Interclick.com / adopt.hbmediapro.com / partypoker.com / SearchInquire / ShopAtHome Select / adopt.hotbar.com / ad.yeildmanager.com" to name a few. I'm also using Firefox only. Popups appear in IE. Thanks in advance for any help.........
rjeffers

Logfile of HijackThis v1.99.1
Scan saved at 9:21:12 PM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\authz859.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\basesrv2.exe
C:\WINDOWS\System32\ndupinwx.exe
C:\WINDOWS\System32\dkfqomrq.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: http://66.206.11.125
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

4
Contributors
9
Replies
10
Views
12 Years
Discussion Span
Last Post by crunchie
0

First, right-click on an empty area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Then, scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
If this IP address is not related to your ISP, have HJT fix this O15 entry as well --
O15 - Trusted IP range: http://
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Close any open windows, other then HijackThis, and hit Fix checked.

In order to view some of the files and folders here, you will need to set your system up accordingly. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Go to the following locations and delete the highlighted files:

C:\Win32\dll\Win32k.exe
C:\WINDOWS\System32\yzsrqvtv.dll
C:\WINDOWS\System32\atpcyyyk.dll
C:\WINDOWS\System32\basesrv2.exe
C:\WINDOWS\System32\ndupinwx.exe
C:\WINDOWS\System32\dkfqomrq.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\apsi\wtta.exe

Do a search for these files and delete any instances found:

Dist006.exe
Setup1024.exe
Juocztuz.exe
Aclui874.exe
Basesrv2.exe
Regsync.exe
Installerv3.exe

If any of these files cannot be deleted, please reboot into Safe Mode and try again. Let us know which, if any, still could not be deleted.

Open Firefox and go to Tools, Options, and then click on Privacy (padlock icon on the left); click on the Clear All button.

Now run CCleaner.

Do you know what this file is? I suspect it's bad, but can't find any info on it. If you don't know what it is, please go to the file, right-click on it, select Properties, and give us whatever info you can on it (Company, version, etc.) --
C:\WINDOWS\System32\authz859.exe

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

0

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

2 problems there. Both have been updated a lot since and are now at SP2.

Then these.

C:\WINDOWS\System32\ndupinwx.exe
C:\WINDOWS\System32\dkfqomrq.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\apsi\wtta.exe
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
[/qoute]

some of the may be genuine but on my machine (which I know to be clean) none of them exist.

0

2 problems there. Both have been updated a lot since and are now at SP2.

Then these.

C:\WINDOWS\System32\ndupinwx.exe
C:\WINDOWS\System32\dkfqomrq.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\apsi\wtta.exe
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
[/qoute]

some of the may be genuine but on my machine (which I know to be clean) none of them exist.

It's not a good idea to get SP2 on an infected machine.

Some of those files are legit (video card, sound card, and HP's packet writing software).

0

Thanks Dlh..........done all, a few files were'nt found. As for the authz859.exe, there was no information in the properties. All I know is it was created 9/13/04. I tried to delete it, but access denied. So I deleted it in safe mode. Here's a new HJT.......thanks again

Logfile of HijackThis v1.99.1
Scan saved at 11:10:21 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\HIJackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - (no file)
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Reboot into Safe Mode.

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - (no file)
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - (no file)
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe

Remember to close any open windows before hitting Fix checked.

Do a search for authz859.exe and delete any instances found.

Empty your Recycle Bin and reboot.

Run CCleaner again.

Close any open browser windows, scan with HJT, and post a new log please.

0

Thanks Dlh........no authz859 was found after cleaning........those BHO no name's won't seem to go away though.........Here's new log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HIJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - (no file)
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste 06CBB302-3027-2876-B64E-B7FB3EDC4AF2, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the 'Find' instructions for each of the following:

098B2816-B4D3-3673-D079-F2C9806EDCDE
B333FFD7-73DB-5379-54CF-1EF25F8EC6AF
BE709C45-AFC1-EC7A-3096-3BB6E6204E4F
CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A

Close the Registry Editor.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HijackThis, and post the new log please. Are you still having problems?

0

Thanks for all your help, Dlh.......actually I have not seen a popup since id did the first cleaning after posting a HJT log. All seems to be fine. I was wanting to get rid of the BHO No Name entries, just because they were there, and wouldn't go away. I searched for the first one in the registry, and it found it in the Internet Explorer folder, in a subfolder titled "Browser Helper Objects". It was there, along with the other files I hadn't searched for yet. I tried to delete, and I got "cannot delete 06CBB302-3027-2876-B64E-B7FB3EDC4AF2, error while deleting key". I'll try something else if you have a suggestion, but if you want me to move on since the original problem has seemed be solved, that's ok too. I appreciate your time so far.
rjeffers

0

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.