Norton has discovered these files trying to access the internet using my ports. Each time, I have blocked its access.
Istsvc[1].exe
nail.exe
nail[1].exe
thnall1ac.exe
nwqjmlhkca.exe
nsa91f.dll
I have rebooted in the safe mode and used HIJACK THIS to delete these files. They keep returning. I have also tried to Norton and Spyware Doctor to remove them. Nothing works.
Here is a copy of my latest file from HIJACK THIS:
Logfile of HijackThis v1.98.2
Scan saved at 8:08:26 PM, on 4/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCE
S.EXE
C:\WINDOWS\system32\spools
v.exe
C:\PROGRA~1\COMMON~1\AOL\A
CS\AOLacsd
.exe
C:\Program Files\Digidesign\Drivers\M
MERefresh.
exe
C:\WINDOWS\System32\DVDRAM
SV.exe
C:\WINDOWS\system32\driver
s\KodakCCS
.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\
Binn\sqlse
rvr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc3
2.exe
C:\WINDOWS\System32\svchos
t.exe
c:\toshiba\ivp\swupdate\sw
updtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
e
C:\WINDOWS\system32\sessmg
r.exe
C:\Program Files\iPod\bin\iPodService
.exe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ezSP_P
x.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EzButton\CplBTQ00.EX
E
C:\Program Files\TOSHIBA\TouchPad\TPT
ray.exe
C:\TOSHIBA\IVP\ISM\pinger.
exe
C:\Program Files\ScanSoft\OmniPageSE\
opware32.e
xe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey
.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Real\Update_OB\reals
ched.exe
C:\Program Files\Picasa2\PicasaMediaD
etector.ex
e
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\tos
cdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\unzipped\framxpro\FreeR
AM XP Pro 1.40.exe
C:\Program Files\Logitech\MouseWare\s
ystem\em_e
xec.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.
exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.
exe
C:\WINDOWS\explorer.exe
c:\windows\system32\ajchqh
d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.e
xe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
E
C:\Program Files\Yahoo!\Messenger\YPa
ger.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\QConsole.exe
C:\Documents and Settings\Swaine\Desktop\Hi
jackThis.e
xe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.comR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.toshiba.comR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.comR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.htmlR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.comR1 - HKCU\Software\Microsoft\In
ternet Explorer\SearchURL,(Defaul
t) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
BB69598904
6} - C:\Program Files\ICQToolbar\toolbaru.
dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
695ECA0567
0} - C:\Program Files\Yahoo!\Companion\Ins
talls\cpn\
ycomp5_5_7
_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D
426709BBFE
B} - C:\PROGRA~1\SPYWAR~1\tools
\iesdsg.dl
l
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1
c295661578
6} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2
98DDF1699E
1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt
.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
445EE16191
0} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1
7DF180C71A
C} - C:\PROGRA~1\SPYWAR~1\tools
\iesdpb.dl
l
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
ADC6B08487
2} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
BB69598904
6} - C:\Program Files\ICQToolbar\toolbaru.
dll
O3 - Toolbar: Handy Password - {B2DE56E2-907A-4080-AE06-5
C2A7BD4364
E} - C:\Program Files\Handy Password\HandyPasswordTool
bar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
090271D4F8
8} - C:\Program Files\Yahoo!\Companion\Ins
talls\cpn\
ycomp5_5_7
_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
5B5E98D167
C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
819E2EAAC9
3} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A
37C9A5676A
7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt
.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
859DF00B1D
6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
x.exe
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EX
E
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPT
ray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.
exe /run
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\
opware32.e
xe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
dll,NvStar
tup
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey
.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K
\BSCLIP.ex
e
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.e
xe" /L ElbyDelay
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
n.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
ched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
etector.ex
e
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
AOLSPY~1\A
OLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.
exe
O4 - HKLM\..\Run: [DOoHbrh6] C:\WINDOWS\isdtkns.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\M
MERefresh.
exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ftuhup] c:\windows\system32\ajchqh
d.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\tos
cdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\unzipped\framxpro\Free
RAM XP Pro 1.40.exe" -win
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopM
gr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
obe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
.HTML
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.h
tm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.
dll/SEARCH
.HTML
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.h
tm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
.htm
O8 - Extra context menu item: Autologin - res://C:\Program Files\Handy Password\HandyPasswordTool
bar.dll/me
nu_autolog
in.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECaptureS
elLinks.ht
ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppendSe
lLinks.htm
l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Fill - res://C:\Program Files\Handy Password\HandyPasswordTool
bar.dll/me
nu_fill.ht
ml
O8 - Extra context menu item: Fill with - res://C:\Program Files\Handy Password\HandyPasswordTool
bar.dll/me
nu_fillwit
h.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Lock - res://C:\Program Files\Handy Password\HandyPasswordTool
bar.dll/me
nu_lock.ht
ml
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Save - res://C:\Program Files\Handy Password\HandyPasswordTool
bar.dll/me
nu_save.ht
ml
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict
.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\system32\msjava
.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\system32\msjava
.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
C56B4E14E8
4} - C:\PROGRA~1\SPYWAR~1\tools
\iesdpb.dl
l
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
0010333D0A
D} - C:\Program Files\Yahoo!\Messenger\yhe
xbmes0521.
dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
0010333D0A
D} - C:\Program Files\Yahoo!\Messenger\yhe
xbmes0521.
dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
5B5E98D167
C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
5B5E98D167
C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\OFFIC
E11\REFIEB
AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\System32\Shdocv
w.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
k1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwor
k1.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
dll
O14 - IERESET.INF: START_PAGE_URL=
http://www.toshiba.comO16 - DPF: Transaction Management -
https://tmm8.care.usbank.com/Tmm/Tmm.cabO16 - DPF: Yahoo! Dominoes -
http://download.games.yahoo.com/games/clients/y/dot8_x.cabO16 - DPF: {17492023-C23A-453E-A040-C
7C580BBF70
0} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3
C54734667F
E} (LSSupCtl Class) -
http://www.symantec.com/techsupp/asa/LSSupCtl.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E
099162EEEC
5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {A82C3A33-5C0E-466C-B020-7
1585433A7E
4} (PhxStudent.OeSetup15) -
https://mycampus.phoenix.edu/secure/PhxStudent15.CABO16 - DPF: {B9191F79-5613-4C76-AA2A-3
98534BB899
9} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
F47A330807
8} (ActiveDataInfo Class) -
http://www.symantec.com/techsupp/asa/SymAData.cab
