I'm trying to help my brother clean up his computer. He has the following anti-spyware programs and we still can't clean this stuff up fully. In particular, we're still having problems with some object called BlazeFind that keeps spawning new registry keys everytime I reboot. There must be some process I'm overlooking that keeps starting up. Also, he has this search tool right on the Windows taskbar that has a text box with the default box reading "Search Here". More importantly, I can't seem to get Norton Antivirus to run at startup. Something on his computer seems to be killing the proces.
Webroot Spy Sweeper, Ad-aware 6.0, HijackThis, and CWShredder. Here are the log files generated from HJT and Ad-aware:
Logfile of HijackThis v1.97.7
Scan saved at 1:46:59 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Documents and Settings\Patrick\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A8C382F-E613-08B3-D352-62557BD12735} - C:\WINDOWS\System32\ozm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.9596643519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
And now the ad-aware log (though I've previously deleted the registry keys already so I'll just paste the running processes):
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, August 07, 2004 1:52:57 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R336 06.08.2004
__
Ad-aware Settings
==
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
8-7-2004 1:52:57 PM - Scan started. (Smart mode)
Listing running processes
ŻŻ
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 8-7-2004 6:41:39 PM
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 8-7-2004 6:41:40 PM
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 8-7-2004 6:41:40 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 8/23/2001 12:00:00 PM
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 8-7-2004 6:41:40 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 8/29/2002 10:41:26 AM
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 8-7-2004 6:41:41 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 8/23/2001 12:00:00 PM
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 8-7-2004 6:41:41 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 8/23/2001 12:00:00 PM
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 8-7-2004 6:41:42 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 8/23/2001 12:00:00 PM
#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 8-7-2004 6:41:46 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/10/2003 6:07:04 AM
Last accessed : 8/7/2004 6:46:31 PM
Last modified : 8/29/2002 10:41:24 AM
#:9 [soundman.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 8-7-2004 6:41:47 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.10
ProductVersion : 5.1.10
Copyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Realtek Sound Manager
Created on : 9/10/2003 5:49:13 AM
Last accessed : 8/7/2004 6:41:39 PM
Last modified : 8/15/2003 8:34:50 PM
#:10 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 8-7-2004 6:41:47 PM
BasePriority : Normal
FileSize : 944 KB
FileVersion : 4, 0, 0, 29
ProductVersion : 4, 0, 0, 29
Copyright : Copyright (C) 2003 Ahead Software and its licensors
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
OriginalFilename : InCD.exe
ProductName : InCD
Created on : 2/7/2004 3:17:12 AM
Last accessed : 8/7/2004 6:41:39 PM
Last modified : 4/30/2003 7:36:56 PM
#:11 [sychost.exe]
FilePath : C:\WINDOWS\System32\helpefa\
ThreadCreationTime : 8-7-2004 6:41:47 PM
BasePriority : Normal
FileSize : 21 KB
Created on : 7/31/2004 6:42:08 AM
Last accessed : 8/7/2004 6:41:39 PM
Last modified : 8/2/2004 1:36:09 AM
#:12 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 8-7-2004 6:41:47 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 8/7/2004 6:41:47 PM
Last modified : 8/23/2001 12:00:00 PM
#:13 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 8-7-2004 6:41:47 PM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright (c) 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 8/5/2004 8:10:26 PM
Last accessed : 8/7/2004 6:41:39 PM
Last modified : 2/25/2004 4:48:26 PM
#:14 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 8-7-2004 6:41:50 PM
BasePriority : Normal
FileSize : 656 KB
Created on : 2/7/2004 3:17:13 AM
Last accessed : 8/7/2004 6:29:01 PM
Last modified : 4/30/2003 7:36:32 PM
#:15 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 8-7-2004 6:41:50 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 9/10/2003 2:40:51 PM
Last accessed : 8/7/2004 6:19:34 PM
Last modified : 2/27/2002 4:29:26 PM
#:16 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ThreadCreationTime : 8-7-2004 6:41:54 PM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 6.03.0.36
ProductVersion : 6.03.0.36
Copyright : Copyright (C) 2002
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
OriginalFilename : NOPDB.dll
ProductName : Norton Speed Disk
Created on : 9/10/2003 2:41:05 PM
Last accessed : 8/7/2004 6:35:54 PM
Last modified : 1/30/2002 11:00:00 AM
#:17 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 8-7-2004 6:47:31 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 9/10/2003 6:07:19 AM
Last accessed : 8/7/2004 6:47:33 PM
Last modified : 8/29/2002 10:41:26 AM
#:18 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 8-7-2004 6:52:53 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 9/10/2003 3:16:58 PM
Last accessed : 8/7/2004 6:45:00 PM
Last modified : 7/13/2003 3:00:20 AM
