7 replies to this topic

[GorillaBob]

Wife's computer has been HiJacked. Typing in a URL for www.nasa.gov brings up a strange search engine or a porn search engine. Scans with spy ware programs shows no inffections. Log file here:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:34 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\DOCUME~1\Rob\LOCALS~1\trav_svc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\InterVideo\WinDVR3\SchSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [pipl_detect] C:\DOCUME~1\Rob\LOCALS~1\trav_svc.exe h:\JD Traveler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR3\SchSvr.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidwork...cfm?Release=rel
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144035856796
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds...ransferCtrl.cab
O16 - DPF: {9294206B-A9B2-4F73-938E-89F694F48101} - http://xlonhcld.xlon...4/ldsdlprod.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...4.10/ttinst.cab
O16 - DPF: {D09BB98E-E1BE-11D5-9F7A-0090F50400FE} (WebTrackInsNP.docWebTrackInsNP) - http://www.mediatech...bTrackInsNP.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09F5BD84-293F-461D-B07D-D30CB2FAAC14}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC5AC12-A7CF-4DA1-A25D-A82FE727C724}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F84F042-2E27-42C4-974C-A01694FFAD20}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F79E204-C822-4FDB-98DA-2DBD8E19DEA8}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{6740499E-8D52-471C-89C9-911BD6FB13EF}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{B82648EA-6C65-49A8-86D8-86DFB115972A}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9966AF0-8DFA-468B-9E8A-A3738D53995C}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEA35489-350B-4DB0-AD9C-A7815300132C}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC57D8BB-AEFC-4C74-84B0-65BFA0516C1B}: NameServer = 85.255.114.102,85.255.112.83
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



[Thank You in advance for the assistance.

[IndiGenus]

Hi GorillaBob and welcome to the forums here at Tom Coyote.

First, you are running HijackThis from the desktop. I recommend that you move HJT to it's own permanent folder. I recommend that you move HJT to it's own permanent folder so any backups that HJT makes will not be accidently deleted.

Please do the following:Create a new permanent folder in a convenient location that you will remember. To do this: Open Windows Explorer.
Select the drive or folder that you would like to put HJT
From the menu select File > New > Folder
Rename the folder to something you will remember (ie HJT, HijackThis, ect...)
Now move HJT to the new folder that you created.
I recommend you print out these instructions for reference, since you will have to restart your computer during the fix.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{09F5BD84-293F-461D-B07D-D30CB2FAAC14}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC5AC12-A7CF-4DA1-A25D-A82FE727C724}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F84F042-2E27-42C4-974C-A01694FFAD20}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F79E204-C822-4FDB-98DA-2DBD8E19DEA8}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{6740499E-8D52-471C-89C9-911BD6FB13EF}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{B82648EA-6C65-49A8-86D8-86DFB115972A}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9966AF0-8DFA-468B-9E8A-A3738D53995C}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEA35489-350B-4DB0-AD9C-A7815300132C}: NameServer = 85.255.114.102,85.255.112.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC57D8BB-AEFC-4C74-84B0-65BFA0516C1B}: NameServer = 85.255.114.102,85.255.112.83
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)

Then close all windows except this one and press Fix checked.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Regards,
Dave

[IndiGenus]

Are you still in need of help here? Please let me know. Thanks, Dave

[GorillaBob]

IndiGenus, Sorry for the delay in response. I was out of town due to the kids spring break and I am now back to work I will be unable to follow the instructions you have given for at least another 24 hours but I will be following them exactly. Thank you for the help and I will be getting back to you. Rob

[GorillaBob]

Dave,

Sorry for the lomg waite, here is the fix repoert:

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url Deleted
C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url Deleted
C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url Deleted
C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url Deleted
C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url Deleted
C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url Deleted
C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url Deleted
C:\Documents and Settings\All Users\Favorites\Online Pharmacy Deleted
C:\Documents and Settings\All Users\Favorites\Sex and Dating Deleted
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"pipl_detect"="C:\\DOCUME~1\\Rob\\LOCALS~1\\trav_svc.exe h:\\JD Traveler"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Mobipocket Reader Notifications"="C:\\Program Files\\Mobipocket.com\\Mobipocket Reader\\readernotify.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»




And the HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:56 PM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\DOCUME~1\Rob\LOCALS~1\trav_svc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\InterVideo\WinDVR3\SchSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rob\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [pipl_detect] C:\DOCUME~1\Rob\LOCALS~1\trav_svc.exe h:\JD Traveler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR3\SchSvr.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidwork...cfm?Release=rel
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144035856796
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds...ransferCtrl.cab
O16 - DPF: {9294206B-A9B2-4F73-938E-89F694F48101} - http://xlonhcld.xlon...4/ldsdlprod.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...4.10/ttinst.cab
O16 - DPF: {D09BB98E-E1BE-11D5-9F7A-0090F50400FE} (WebTrackInsNP.docWebTrackInsNP) - http://www.mediatech...bTrackInsNP.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Looks like just the one entry that is questionable.



Thanks For Your Assistance!

[IndiGenus]

Hi Bob, HJT log appears clean to me. What entry do you think is questionable? How are things running now? Dave

[GorillaBob]

Morning Dave,

Running much better now. Wife will be happy! Thanks again.

This is the part I was talking about but after rereading it, I realized I should have read it slower the first time!

"The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
"

[IndiGenus]

Oh no problem Bob. Ya, that's only if the Wareout tool finds any of those files obviously. Many times it doesn't.

I recommend the following to stay clean:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

Use ATF Cleaner to remove temp files, cookies, cache, ect...

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://forums.tomcoy...mp;#entry257163

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.