Logfile of HijackThis v1.99.1
Scan saved at 7:15:59 PM, on 8/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\NFTprog9\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://****.com/search
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {****} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Internet Explorer Hot Fix - {****} - C:\WINDOWS\System32\kidmk.dll
O2 - BHO: (no name) - {****} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {****} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {****} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {****} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {****} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
I did a lookup on 85.255.115.99 and it comes back to "Host Name........: 85.255.115.99-xbox.dedi.inhoster.com".
The toolbar "HPTOOLKT.DLL" and "NPDocBox.dll" look suspicious. One other unusual thing that happens is that when online
if I open "my computer" icon and click "C:\" it will try to access a advertizeing company site. "crl.verisign.com". Eventhough
control pannel and the firefox browser is set to block all first party and third party cookies I still get tracking cookies.
I searched to see what I could find on "Virus: TR/Pipas.A Type: Trojan" and believe it is associated with .spop .
It only said that the file signature has four digit random characters did not find. With a reg entry according to spybot that does not exist
when I use regedit. Even in safe mode.