asd.cpy.cll keeps coming back!!!

I know I've got some sort of spyware/hijack going on...

the file c:\windows\syste32\asd.cpy.dll keeps on coming back, no matter what I do. I ran startuplist.exe and got the following:


StartupList report, 4/29/2004, 3:10:48 AM
StartupList version: 1.52
Started from : C:\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using verbose mode
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\StartupList.exe

This lists all processes running in memory, which are all active
programs and some non-exe system components.

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

This Registry value determines how Windows runs files (in this case
.SCR files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

Programs listed here are components of the Windows Setup that were
only ran when Windows started for the first time. To prevent them
from running multiple times, Windows checks for a key with the same
name at the HKCU root. If it's not found, the component at the HKLM
root is ran, and a matching key is created at the HKCU root so the
component is not ran again next time. Most entries involve either
RUNDLL.EXE or RUNDLL32.EXE, so a suspicious key is not hard to find.

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=hplun.dll

These two entries in WIN.INI are leftover from Windows 3.x, which
used them as values denoting programs that should be started up
with Windows. Since Windows 95 and higher uses the Registry to
store locations of autostart folders, these two entries in WIN.INI
are redundant, and are rarely used.

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\SHARKV~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

Due to a bug in Windows 9x, it mistakenly uses C:\Explorer.exe and
other instances (if present) when searching for Explorer.exe.
Explorer.exe should only exists in the Windows folder.
Windows NT is vulnerable to this as well, but only if the
'Shell' Registry value from the previous section
is just 'Explorer.exe' instead of the full path.
Additionally, presence of \WINDOWS\Explorer\Explorer.exe indicates
infection with the W32@Trojan.Dlder virus.

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: *Registry value not found*
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Some file extensions are always hidden, like .lnk (shortcut) and
.pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs
(Shell Scrap) file that had the extension hidden by default. This can
be a security risk when a virus with a double-extension filename is
on the loose, since the extension can be hidden even when 'Don't show
extensions for known filetypes' is turned off.
The shortcut overlay acts as a reminder that the file is just a shortcut.
If the shortcut overlay is removed, the difference between a file and
a shortcut is invisible.

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.

--------------------------------------------------

Enumerating Download Program Files:

[ICSScannerLight Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
InteractiveLogon: C:\WINDOWS\System32\Fast.exe -service (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LicCtrl Service: C:\WINDOWS\runservice.exe (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Message Queuing: C:\WINDOWS\System32\mqsvc.exe (autostart)
Message Queuing Triggers: C:\WINDOWS\System32\mqtgsvc.exe (autostart)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Password: %SystemRoot%\System32\PwdServ.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


Windows NT4/2000/XP launches several dozen of 'services' when
your system starts that range in importance from system-
critical (like RPCSS) to redundant (Remote Registry Editor),
or even dangerous (Universal Plug & Play). Though very little
malicious programs use this type of startup, it is included here
for completeness.
Windows 9x/ME launches system-critical files in a similar way
at system startup, but unlike Windows NT services, the Windows 9x
VxD services are all important, and much less in number. Practically
the only non-Microsoft programs starting from here are software firewalls.

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
CDBurn: *Registry key not found*

This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.

--------------------------------------------------
End of report, 16,558 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


any help with this would be greatly appreciated

 

Hi adamsapl,

Download, unzip and run Kill2Me http://www.spywareinfoforum.com/~merijn/files/kill2me.zip
form http://www.spywareinfoforum.com/~merijn/downloads.html

Then reboot and post your HijackThis log as described here:
https://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Hijack this log

Thanks for the help, logging into my local account is fast like it used to be, and no more asd.cpy.dll error anymore.

I downloaded and ran the kill2me program, it successfully removed what it set out to.

I then ran pest patrol, and it showed a few cookies, nothing serious.

Followed by running Ad-Aware and it showed clean system.

The following is my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 1:07:38 PM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\hij\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40971 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-205 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40970 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40971 (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-205 (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40970 (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

 

Re: Hijack this log

Hi adamsapl,

Good job.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 ieautosearch

And read https://www.wilderssecurity.com/showthread.php?t=27971 for some tips to stay out of trouble.

Regards,

Pieter