lostinflorida
asked on
Why does my PC attempt communication with ads.dns-lookup.com and ayb.netbios-wait.com?
On start-up and shortly thereafter, my PC attempts communication with ads.dns-lookup.com and/or ayb.netbios-wait.com. Spy Sweeper blocks this and alerts me but I'd like to know how to prevent the attempted communication in the first place since it slows down my system noticeably?
Deleted by modus_operandi, 125 points refunded. - 9/1/2007 6:46:22 PM
Deleted by modus_operandi, 125 points refunded. - 9/1/2007 6:46:22 PM
I agree ... also try downloading and running Vundo FIX. VERY reliable, VERY fast ... kills all persistent!
ASKER
Appreciate the help folks. Both Spybot and Windows Defender found some things but it didn't help with this particular problem. Vundo Fix found nothing at all. On startup Spy Sweeper still reports blocking one of these two internet communications. I just want to find out what's causing these attempted communications so I can kill it or delete it.
Same problem fixed here:
http://forums.techguy.org/windows-nt-2000-xp/600511-ayb-netbios-wait-com.html
Most likely infection:
Trojan.BHOPlugin - http://spywaredetector.net/spyware_encyclopedia/Trojan.BHOPlugin.htm
http://forums.techguy.org/windows-nt-2000-xp/600511-ayb-netbios-wait-com.html
Most likely infection:
Trojan.BHOPlugin - http://spywaredetector.net/spyware_encyclopedia/Trojan.BHOPlugin.htm
If you could post a HijackThis log we could tell you for sure and possibly tell you about other infections also
ASKER
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:15:11, on 09.Aug.07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\DigitalPersona\Bin\D PWinLct.ex e
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.ex e
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\brsvc01a .exe
C:\WINNT\system32\brss01a. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
C:\WINNT\system32\cisvc.ex e
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\CTSVCCDA .EXE
C:\Program Files\DigitalPersona\Bin\D pHost.exe
C:\WINNT\System32\GEARSec. exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINNT\system32\nvsvc32. exe
C:\WINNT\system32\HPZipm12 .exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINNT\system32\RioMSC.e xe
C:\WINNT\System32\svchost. exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\MsPMSPSv .exe
C:\WINNT\system32\svchost. exe
C:\Program Files\DigitalPersona\Bin\D PFUSMgr.ex e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINNT\system32\cidaemon .exe
C:\WINNT\system32\cidaemon .exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTou ch.exe
C:\Program Files\Java\jre1.6.0_01\bin \jusched.e xe
C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\p ptd40nt.ex e
C:\WINNT\system32\RUNDLL32 .EXE
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DigitalPersona\Bin\D PAgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\FSVD\FSVD.exe
C:\FSVD\FD.exe
C:\PROGRA~1\HEWLET~1\HPSHA R~1\hpgs2w nf.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.ex e
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Brother\ControlCente r2\brctrce n.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\AWS\WEATHE~1\W eather.exe
C:\PROGRA~1\MI3AA1~1\wcesc omm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MI3AA1~1\rapim gr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Logitech\Music Anywhere\LMASysTray.exe
C:\Program Files\Brother\Brmfcmon\BrM fcWnd.exe
C:\PROGRA~1\Webshots\websh ots.scr
C:\Program Files\Brother\Brmfcmon\BrM fimon.exe
C:\PROGRA~1\MICROS~4\OFFIC E11\OUTLOO K.EXE
C:\Program Files\HiJack\HiJackThis_v2 .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-B D04B8342F5 3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D 42A53123C7 5} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1. 5\NppBho.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-F BEE9C7B26D F} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1. 5\UIBHO.dl l
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582- 4c61-B58F- 2F227FCA9A 08}\PIFSvc .exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582- 4c61-B58F- 2F227FCA9A 08}\AlertE ng.dll"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTou ch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin \jusched.e xe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe " -Embedding -boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P DVDServ.ex e"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] "C:\WINNT\system32\PSDrvCh eck.exe" -CheckReg
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\p ptd40nt.ex e"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINNT\system32\NvMcTray .dll,NvTas kbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dl l,NvStartu p
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck. exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L anguage\La nguage.exe "
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\I ndexSearch .exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DPAgnt] "C:\Program Files\DigitalPersona\Bin\D PAgnt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!!FSVD] C:\FSVD\FSVD.exe
O4 - HKLM\..\Run: [!!FD] C:\FSVD\FD.exe
O4 - HKLM\..\Run: [RCAutoLiveUpdate] "C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.ex e" -AUTO
O4 - HKLM\..\Run: [RCSystemTray] "C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.ex e"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCente r2\brctrce n.exe" /autorun
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\ Weather.ex e" 1
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wces comm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.e xe
O4 - HKCU\..\Run: [Log Surf] "C:\DOCUME~1\GREG&V~1\APPL IC~1\AXISH E~1\itch 32.exe"
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY .DLL,NvTas kbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY .DLL,NvTas kbarInit (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY .DLL,NvTas kbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY .DLL,NvTas kbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex e
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: Logitech Music Anywhere Settings.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrM fcWnd.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar 2.dll/cmwo rdtrans.ht ml
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemen u.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_02\bin \npjpi160_ 02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_02\bin \npjpi160_ 02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau .dll
O12 - Plugin for .xfd: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.d ll
O16 - DPF: {39B0684F-D7BF-4743-B050-F DC3F48F7E3 B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D 4730F4EE49 9} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5 009F29E09E 1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5 F6EE286DF5 C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2 074A9DF61F D} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: DPWLN - C:\WINNT\system32\DPWLEvHd .dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINNT\System32\browseui .dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINNT\System32\browseui .dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\system32\brsvc01a .exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.e xe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA .EXE
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D PFUSMgr.ex e
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D pHost.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec. exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\ KodakCCS.e xe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ LuComServe r_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582- 4c61-B58F- 2F227FCA9A 08}\PIFSvc .exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32. exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12 .exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.e xe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.ex e
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:15:11, on 09.Aug.07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.ex
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\brsvc01a
C:\WINNT\system32\brss01a.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\LiveUpdate\
C:\WINNT\system32\cisvc.ex
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\CTSVCCDA
C:\Program Files\DigitalPersona\Bin\D
C:\WINNT\System32\GEARSec.
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINNT\system32\nvsvc32.
C:\WINNT\system32\HPZipm12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINNT\system32\RioMSC.e
C:\WINNT\System32\svchost.
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\MsPMSPSv
C:\WINNT\system32\svchost.
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINNT\system32\cidaemon
C:\WINNT\system32\cidaemon
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTou
C:\Program Files\Java\jre1.6.0_01\bin
C:\Program Files\CyberLink\PowerDVD\P
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\p
C:\WINNT\system32\RUNDLL32
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DigitalPersona\Bin\D
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\FSVD\FSVD.exe
C:\FSVD\FD.exe
C:\PROGRA~1\HEWLET~1\HPSHA
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.ex
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Brother\ControlCente
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\AWS\WEATHE~1\W
C:\PROGRA~1\MI3AA1~1\wcesc
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MI3AA1~1\rapim
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Logitech\Music Anywhere\LMASysTray.exe
C:\Program Files\Brother\Brmfcmon\BrM
C:\PROGRA~1\Webshots\websh
C:\Program Files\Brother\Brmfcmon\BrM
C:\PROGRA~1\MICROS~4\OFFIC
C:\Program Files\HiJack\HiJackThis_v2
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-B
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-F
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTou
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] "C:\WINNT\system32\PSDrvCh
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\p
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINNT\system32\NvMcTray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dl
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\L
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\I
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DPAgnt] "C:\Program Files\DigitalPersona\Bin\D
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!!FSVD] C:\FSVD\FSVD.exe
O4 - HKLM\..\Run: [!!FD] C:\FSVD\FD.exe
O4 - HKLM\..\Run: [RCAutoLiveUpdate] "C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.ex
O4 - HKLM\..\Run: [RCSystemTray] "C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.ex
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCente
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wces
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.e
O4 - HKCU\..\Run: [Log Surf] "C:\DOCUME~1\GREG&V~1\APPL
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\
O4 - Global Startup: Logitech Music Anywhere Settings.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemen
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau
O12 - Plugin for .xfd: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.d
O16 - DPF: {39B0684F-D7BF-4743-B050-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2
O20 - Winlogon Notify: DPWLN - C:\WINNT\system32\DPWLEvHd
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\system32\brsvc01a
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.e
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSVCCDA
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\D
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.e
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.ex
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService)
--
End of file
Unknown Processes (nasty unless you put them there):
C:\FSVD\FD.exe
C:\FSVD\FSVD.exe
R3 - URLSearchHook: (Morpheus Search Bar) - {D73F49B6-B51B-4d32-A3B7-B D04B8342F5 3} - (no file)
Nasty - aka should be removed:
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.e xe
C:\FSVD\FD.exe
C:\FSVD\FSVD.exe
R3 - URLSearchHook: (Morpheus Search Bar) - {D73F49B6-B51B-4d32-A3B7-B
Nasty - aka should be removed:
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.e
ASKER
Thanks Justchat but that didn't work either. I put FSVD files there and they have been there for about eighteen months. They wouldn't account for this. I removed the Morpheus file (all of the Morpheus files) and the BackWeb file but when I reboot Spy Sweeper still reports the blocked communication. Guess I'll have to handpick through the registry when I get time. Thanks again.
When you reboot do any of the files reappear (either the same backweb file or one with new numbers)? And is the morpheus toolbar gone? (alot of times it will hide in the IE toolbars folder)
If you decide to try Spybot which is freeware, btw, also make sure to enable the spybot "Tea Timer" realtime protection that will block malware attempts to hijack your browser or make changes to your registry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Most likely because IE7 was infected with spyware but instead of taking the time to remove it you just uninstalled IE
ASKER
Well, time's not something I have a whole lot of, especially after taking the time with Spybot, Windows Defender, Vundo and posting an HJT log. Now I can run my business instead of tweaking a tool to deal with an annoyance. Thanks again though for your time.
Also, remove anything published by yahoo or AOL.
Remove all screensavers that were downloaded and installed.
Remove all Internet Explorer Browser Bars. (windows Defender should clean that up for ya)
Basically, you got spyware, malware, trojan, something that is loaded that shouldn't be and for somereason SpySweeper isn't removing it. It shoudl tell you which file is trying to access the internet thought. Try to determin that and repost it here.
Also, a Virus Check. If you don't have anti-virus software you can do a free check at
housecall.trendmicro.com
Spybot:
http://www.spybot.com/en/index.html
Windows Defender:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
- brugh