0

Hi my name is jesus ladd and i just read that all the hijack this threads have to be posted on the security forum. well this is my hijackthis log. Can you please help me and tell me what files i need to check. Thank You

Logfile of HijackThis v1.98.0
Scan saved at 1:11:34 AM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ipds.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\gljhvswy.exe
C:\WINDOWS\System32\wping.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\WINDOWS\system32\ipgb.exe
C:\WINDOWS\System32\avimsnsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\Obpakh0.exe
C:\WINDOWS\System32\MuqbZ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\System32\ir32_32.exe
C:\Documents and Settings\Jessy\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://rd.yn.cometsystems.com/r/cc3un/4.4.1;10746230990000000114000796875;1074623103000;1075164515000/http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {905429DE-19AE-14A9-E359-B2D986ECF629} - C:\WINDOWS\system32\ipgb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [qlvsfvlg] C:\WINDOWS\System32\gljhvswy.exe
O4 - HKLM\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\OhjPVfC1.exe
O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [AutoLoader20sp1PIjZYPI] "C:\WINDOWS\System32\shefos.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [273V35V] shefos.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ipgb.exe] C:\WINDOWS\system32\ipgb.exe
O4 - HKLM\..\RunOnce: [ipds.exe] C:\WINDOWS\ipds.exe
O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe
O4 - HKLM\..\RunOnce: [msuu.exe] C:\WINDOWS\system32\msuu.exe
O4 - HKLM\..\RunOnce: [ipyj.exe] C:\WINDOWS\system32\ipyj.exe
O4 - HKLM\..\RunOnce: [appjb32.exe] C:\WINDOWS\appjb32.exe
O4 - HKLM\..\RunOnce: [mfcia32.exe] C:\WINDOWS\system32\mfcia32.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [appwx32.exe] C:\WINDOWS\appwx32.exe
O4 - HKLM\..\RunOnce: [nettz.exe] C:\WINDOWS\nettz.exe
O4 - HKLM\..\RunOnce: [apidg.exe] C:\WINDOWS\apidg.exe
O4 - HKLM\..\RunOnce: [apion.exe] C:\WINDOWS\system32\apion.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [crme32.exe] C:\WINDOWS\system32\crme32.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\system32\atlyj.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\ieim32.exe
O4 - HKLM\..\RunOnce: [cryn.exe] C:\WINDOWS\system32\cryn.exe
O4 - HKLM\..\RunOnce: [crfs32.exe] C:\WINDOWS\system32\crfs32.exe
O4 - HKLM\..\RunOnce: [d3yo32.exe] C:\WINDOWS\system32\d3yo32.exe
O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\system32\javajl32.exe
O4 - HKLM\..\RunOnce: [ipnr32.exe] C:\WINDOWS\ipnr32.exe
O4 - HKLM\..\RunOnce: [addba.exe] C:\WINDOWS\addba.exe
O4 - HKLM\..\RunOnce: [crif.exe] C:\WINDOWS\crif.exe
O4 - HKLM\..\RunOnce: [appod32.exe] C:\WINDOWS\system32\appod32.exe
O4 - HKLM\..\RunOnce: [ntov.exe] C:\WINDOWS\ntov.exe
O4 - HKLM\..\RunOnce: [sdkxo.exe] C:\WINDOWS\system32\sdkxo.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\system32\apihg32.exe
O4 - HKLM\..\RunOnce: [d3wl.exe] C:\WINDOWS\system32\d3wl.exe
O4 - HKLM\..\RunOnce: [winxj.exe] C:\WINDOWS\winxj.exe
O4 - HKLM\..\RunOnce: [addew.exe] C:\WINDOWS\system32\addew.exe
O4 - HKLM\..\RunOnce: [atlpu.exe] C:\WINDOWS\atlpu.exe
O4 - HKLM\..\RunOnce: [ieqa32.exe] C:\WINDOWS\system32\ieqa32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ir32_32] C:\WINDOWS\System32\ir32_32.exe
O4 - HKCU\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [Jws9RRZpe] avimsnsv.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/TrfV3nd02.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0490B4-AABF-4554-BFA8-611D183BD737}: NameServer = 206.13.29.12 206.13.30.12
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

4
Contributors
12
Replies
13
Views
13 Years
Discussion Span
Last Post by crunchie
0

First try loading into safe mode, press f8 after the post screen (power on self test, its the black screen when u first boot up with your system info on it) and then select safe mode from the advanced system options list. Then run your anti-spyware programs and antivirus programs. If you havent already done this, then I would suggest

Spybot S&D - http://www.safer-networking.org/en/mirrors/index.html
Ad-aware - http://www.download.com/Ad-aware/3000-8022-10214379.html?tag=lst-0-1

After you have done this, or if you have already done this try deciphering some of the log yourself by using these links

HijackThis tutorial - http://hjt.wizardsofwebsites.com/
Deciphering - http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html

After all of this then try asking for some more help

0

Download the PeperFix.exe tool from here:

http://downloads.subratam.org/PeperFix.exe

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

0

hey thanx for the help. I ran the program twice and then it says that no peper files where detected. I really appreciate your help. But i still get the popups when i start the computer that say that WindowsSystem32 could not be found. Theres like ten popups that pop up. I was wondering, since you really helped me alot by lling me what to do, i wanted to know if u knew how to fix that problem. C:WindowsSystem32 could not be found. Thank you

0

Have you run the recommended (and free) "spyware" removal utilities decribed in this thread?:

http://www.daniweb.com/techtalkforums/thread5690.html

If not, do so.

Before running the utilities, clear your Temporary Internet files (including "offline content"), delete your Cookies, and empty your Recycle BIn.
Let the utilities fix whatever they find and then post a new HJTlog.

0

hey thanx for the help. I ran the program twice and then it says that no peper files where detected.

Were you online when you ran the fix? You have to be online. Peper is definitely showing in your log. Please do as DMR suggests then reboot your system, then Go here for an on-line scan & set it to autoclean for you.
Try this scan as well.

Post your log after doing that.

0

This is what it says when I turn on my computer

Error Loading C:\WINDOWS\System32\ielcaabe.dll
The specified module can not be found

Error Loading C:\WINDOWS\System32\wmcbaaca.dll
The specified module can not be found

Error Loading C:\WINDOWS\Stsyem32\he3bbcff.dll
The specified module can not be found

Error Loading C:\WINDOWS\System32\icddefff.dll
The specified module can not be found

That’s what it shows and some of them are repeated more than once.

Does anyone know how to fix that. If you do please tell me.
Thanx 4 your help

P. S: And about that peper files thing, I ran it again and I was online and it still told me the same thing. No peper files where found. The only time it found things was the first time I ran it. I fixed that already though. I guess I should’ve mentioned that. Srry

0

This is my new Hijack this logfile. Is there still problems with it other than that WindowsSystem32 dll thing posted above? If so what else should i do

Logfile of HijackThis v1.98.0
Scan saved at 11:52:51 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msCMTSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ipds.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\wping.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ipgb.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\avimsnsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\WINDOWS\System32\ir32_32.exe
C:\Documents and Settings\Jessy\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {905429DE-19AE-14A9-E359-B2D986ECF629} - C:\WINDOWS\system32\ipgb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [AutoLoader20sp1PIjZYPI] "C:\WINDOWS\System32\shefos.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [273V35V] shefos.exe
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ipgb.exe] C:\WINDOWS\system32\ipgb.exe
O4 - HKLM\..\RunOnce: [ipds.exe] C:\WINDOWS\ipds.exe
O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe
O4 - HKLM\..\RunOnce: [msuu.exe] C:\WINDOWS\system32\msuu.exe
O4 - HKLM\..\RunOnce: [ipyj.exe] C:\WINDOWS\system32\ipyj.exe
O4 - HKLM\..\RunOnce: [appjb32.exe] C:\WINDOWS\appjb32.exe
O4 - HKLM\..\RunOnce: [mfcia32.exe] C:\WINDOWS\system32\mfcia32.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [appwx32.exe] C:\WINDOWS\appwx32.exe
O4 - HKLM\..\RunOnce: [nettz.exe] C:\WINDOWS\nettz.exe
O4 - HKLM\..\RunOnce: [apidg.exe] C:\WINDOWS\apidg.exe
O4 - HKLM\..\RunOnce: [apion.exe] C:\WINDOWS\system32\apion.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [crme32.exe] C:\WINDOWS\system32\crme32.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\system32\atlyj.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\ieim32.exe
O4 - HKLM\..\RunOnce: [cryn.exe] C:\WINDOWS\system32\cryn.exe
O4 - HKLM\..\RunOnce: [crfs32.exe] C:\WINDOWS\system32\crfs32.exe
O4 - HKLM\..\RunOnce: [d3yo32.exe] C:\WINDOWS\system32\d3yo32.exe
O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\system32\javajl32.exe
O4 - HKLM\..\RunOnce: [ipnr32.exe] C:\WINDOWS\ipnr32.exe
O4 - HKLM\..\RunOnce: [addba.exe] C:\WINDOWS\addba.exe
O4 - HKLM\..\RunOnce: [crif.exe] C:\WINDOWS\crif.exe
O4 - HKLM\..\RunOnce: [appod32.exe] C:\WINDOWS\system32\appod32.exe
O4 - HKLM\..\RunOnce: [ntov.exe] C:\WINDOWS\ntov.exe
O4 - HKLM\..\RunOnce: [sdkxo.exe] C:\WINDOWS\system32\sdkxo.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\system32\apihg32.exe
O4 - HKLM\..\RunOnce: [d3wl.exe] C:\WINDOWS\system32\d3wl.exe
O4 - HKLM\..\RunOnce: [winxj.exe] C:\WINDOWS\winxj.exe
O4 - HKLM\..\RunOnce: [addew.exe] C:\WINDOWS\system32\addew.exe
O4 - HKLM\..\RunOnce: [atlpu.exe] C:\WINDOWS\atlpu.exe
O4 - HKLM\..\RunOnce: [ieqa32.exe] C:\WINDOWS\system32\ieqa32.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\system32\ieko.exe
O4 - HKLM\..\RunOnce: [atlcv32.exe] C:\WINDOWS\atlcv32.exe
O4 - HKLM\..\RunOnce: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\RunOnce: [apppj.exe] C:\WINDOWS\apppj.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ir32_32] C:\WINDOWS\System32\ir32_32.exe
O4 - HKCU\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [Jws9RRZpe] avimsnsv.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/TrfV3nd02.cab
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0490B4-AABF-4554-BFA8-611D183BD737}: NameServer = 206.13.29.12 206.13.30.12
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

0

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {905429DE-19AE-14A9-E359-B2D986ECF629} - C:\WINDOWS\system32\ipgb.dll

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [AutoLoader20sp1PIjZYPI] "C:\WINDOWS\System32\shefos.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ipgb.exe] C:\WINDOWS\system32\ipgb.exe
O4 - HKLM\..\RunOnce: [ipds.exe] C:\WINDOWS\ipds.exe
O4 - HKLM\..\RunOnce: [sysdw32.exe] C:\WINDOWS\system32\sysdw32.exe
O4 - HKLM\..\RunOnce: [msuu.exe] C:\WINDOWS\system32\msuu.exe
O4 - HKLM\..\RunOnce: [ipyj.exe] C:\WINDOWS\system32\ipyj.exe
O4 - HKLM\..\RunOnce: [appjb32.exe] C:\WINDOWS\appjb32.exe
O4 - HKLM\..\RunOnce: [mfcia32.exe] C:\WINDOWS\system32\mfcia32.exe
O4 - HKLM\..\RunOnce: [addbu32.exe] C:\WINDOWS\system32\addbu32.exe
O4 - HKLM\..\RunOnce: [appwx32.exe] C:\WINDOWS\appwx32.exe
O4 - HKLM\..\RunOnce: [nettz.exe] C:\WINDOWS\nettz.exe
O4 - HKLM\..\RunOnce: [apidg.exe] C:\WINDOWS\apidg.exe
O4 - HKLM\..\RunOnce: [apion.exe] C:\WINDOWS\system32\apion.exe
O4 - HKLM\..\RunOnce: [ntjy32.exe] C:\WINDOWS\ntjy32.exe
O4 - HKLM\..\RunOnce: [crme32.exe] C:\WINDOWS\system32\crme32.exe
O4 - HKLM\..\RunOnce: [atlyj.exe] C:\WINDOWS\system32\atlyj.exe
O4 - HKLM\..\RunOnce: [ieim32.exe] C:\WINDOWS\ieim32.exe
O4 - HKLM\..\RunOnce: [cryn.exe] C:\WINDOWS\system32\cryn.exe
O4 - HKLM\..\RunOnce: [crfs32.exe] C:\WINDOWS\system32\crfs32.exe
O4 - HKLM\..\RunOnce: [d3yo32.exe] C:\WINDOWS\system32\d3yo32.exe
O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\system32\javajl32.exe
O4 - HKLM\..\RunOnce: [ipnr32.exe] C:\WINDOWS\ipnr32.exe
O4 - HKLM\..\RunOnce: [addba.exe] C:\WINDOWS\addba.exe
O4 - HKLM\..\RunOnce: [crif.exe] C:\WINDOWS\crif.exe
O4 - HKLM\..\RunOnce: [appod32.exe] C:\WINDOWS\system32\appod32.exe
O4 - HKLM\..\RunOnce: [ntov.exe] C:\WINDOWS\ntov.exe
O4 - HKLM\..\RunOnce: [sdkxo.exe] C:\WINDOWS\system32\sdkxo.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\system32\apihg32.exe
O4 - HKLM\..\RunOnce: [d3wl.exe] C:\WINDOWS\system32\d3wl.exe
O4 - HKLM\..\RunOnce: [winxj.exe] C:\WINDOWS\winxj.exe
O4 - HKLM\..\RunOnce: [addew.exe] C:\WINDOWS\system32\addew.exe
O4 - HKLM\..\RunOnce: [atlpu.exe] C:\WINDOWS\atlpu.exe
O4 - HKLM\..\RunOnce: [ieqa32.exe] C:\WINDOWS\system32\ieqa32.exe
O4 - HKLM\..\RunOnce: [ieko.exe] C:\WINDOWS\system32\ieko.exe
O4 - HKLM\..\RunOnce: [atlcv32.exe] C:\WINDOWS\atlcv32.exe
O4 - HKLM\..\RunOnce: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\RunOnce: [apppj.exe] C:\WINDOWS\apppj.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ir32_32] C:\WINDOWS\System32\ir32_32.exe
O4 - HKCU\..\Run: [Jws9RRZpe] avimsnsv.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.ne...b/TrfV3nd02.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/5...03C00/setup.exe
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\automove.exe<<<<
C:\WINDOWS\System32\shefos.exe<<<<
C:\Program Files\AutoUpdate<<<<
C:\WINDOWS\system32\ipgb.exe<<<
C:\WINDOWS\ipds.exe<<<<
C:\WINDOWS\system32\sysdw32.exe<<<<
C:\WINDOWS\system32\msuu.exe<<<<
C:\WINDOWS\system32\ipyj.exe<<<<
C:\WINDOWS\appjb32.exe<<<<
C:\WINDOWS\system32\mfcia32.exe<<<<
C:\WINDOWS\system32\addbu32.exe<<<<
C:\WINDOWS\appwx32.exe<<<<
C:\WINDOWS\nettz.exe<<<<
C:\WINDOWS\apidg.exe<<<<
C:\WINDOWS\system32\apion.exe<<<<
C:\WINDOWS\ntjy32.exe<<<<
C:\WINDOWS\system32\crme32.exe<<<<
C:\WINDOWS\system32\atlyj.exe<<<<
C:\WINDOWS\ieim32.exe<<<<
C:\WINDOWS\system32\cryn.exe<<<<
C:\WINDOWS\system32\crfs32.exe<<<<
C:\WINDOWS\system32\d3yo32.exe<<<<
C:\WINDOWS\system32\javajl32.exe<<<<
C:\WINDOWS\ipnr32.exe<<<<
C:\WINDOWS\addba.exe<<<<
C:\WINDOWS\crif.exe<<<<
C:\WINDOWS\system32\appod32.exe<<<<
C:\WINDOWS\ntov.exe<<<<
C:\WINDOWS\system32\sdkxo.exe<<<<
C:\WINDOWS\system32\apihg32.exe<<<<
C:\WINDOWS\system32\d3wl.exe<<<<
C:\WINDOWS\winxj.exe<<<<
C:\WINDOWS\system32\addew.exe<<<<
C:\WINDOWS\atlpu.exe<<<<
C:\WINDOWS\system32\ieqa32.exe<<<<
C:\WINDOWS\system32\ieko.exe<<<<
C:\WINDOWS\atlcv32.exe<<<<
C:\WINDOWS\javarq32.exe<<<<
C:\WINDOWS\apppj.exe<<<<
C:\Program Files\SpyKiller<<<<
C:\WINDOWS\System32\ir32_32.exe<<<<

Reboot normally after doing the above then post a fresh log please.

0

I did what you told me to and this is the log i got. The only thing i couldnt do was after i started the computer in Safe mode, and running hijack this, was delete the second set of files (the bold ones). It didnt dind them.

Logfile of HijackThis v1.98.0
Scan saved at 6:22:50 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msCMTSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crqb.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\LzioMediaUpdater.exe
C:\WINDOWS\system32\ipgb.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wping.exe
C:\WINDOWS\System32\ir32_32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\Program Files\Microsoft Works\MSWorks.exe
c:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Documents and Settings\Jessy\Desktop\hthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINDOWS\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [273V35V] shefos.exe
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ipgb.exe] C:\WINDOWS\system32\ipgb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [systk.exe] C:\WINDOWS\systk.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [ir32_32] C:\WINDOWS\System32\ir32_32.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0490B4-AABF-4554-BFA8-611D183BD737}: NameServer = 206.13.29.12 206.13.30.12
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

0

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.
Reboot.

Reboot into safe mode following the instructions here & navigate to & delete the following:

C:\Program Files\AutoUpdate< folder
C:\WINDOWS\System32\he3bbcff.dll< file
C:\WINDOWS\System32\wmcbaaca.dll< file
C:\WINDOWS\System32\icddefff.dll< file
C:\WINDOWS\System32\ielcaabe.dll< file
O4 - HKLM\..\Run: [273V35V] shefos.exe< file
C:\WINDOWS\System32\icddefff.dll< file
C:\WINDOWS\System32\he3bbcff.dll< file
C:\WINDOWS\System32\ielcaabe.dll< file
C:\WINDOWS\System32\wmcbaaca.dll< file
C:\WINDOWS\system32\ipgb.exe< file
C:\WINDOWS\systk.exe< file
C:\WINDOWS\crqb.exe< file
C:\WINDOWS\System32\ir32_32.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Still in safe mode Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [273V35V] shefos.exe
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ipgb.exe] C:\WINDOWS\system32\ipgb.exe
O4 - HKLM\..\RunOnce: [systk.exe] C:\WINDOWS\systk.exe
O4 - HKCU\..\Run: [wping.exe] C:\WINDOWS\System32\wping.exe
O4 - HKCU\..\Run: [ir32_32] C:\WINDOWS\System32\ir32_32.exe

Reboot normally after doing the above then post a fresh log please.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.