WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please Help!

Started by leza , May 30 2007 09:13 PM

This topic is locked

15 replies to this topic

#1 leza

New Member

New Member
8 posts

Posted 30 May 2007 - 09:13 PM

i think i have been hijacked ,i dont even use my ie and now all of a sudden ie is popping u p at random times and if im away for more than a few minutes when i come back i have 20 plus ie pages open, they are all open to something called hotsearch or google eg, ive ran spyware programs-adaware,spybot,antivirus. and nothing has changed, can anyone please help me find out whats going on and repair it.
thankyou

Logfile of HijackThis v1.99.1
Scan saved at 11:06:13 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?80760321825d47b7bdfb12cc73bbec99
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?80760321825d47b7bdfb12cc73bbec99
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by140fd.bay14...es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: mssms - {D0772766-82AF-400A-97F9-7F4F2DCA3ADF} - C:\WINDOWS\mssms.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 31 May 2007 - 02:59 AM

Looking over your log, back ASAP

#3 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 31 May 2007 - 03:11 AM

Hi Leza,

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
Remember, absence of symptoms does not mean the infection is all gone.

If you can do these things, everything should go smoothly.

Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Looks like you've got a couple of infections on your computer, I'm gonna need a little more information.

Please download SmitfraudFix (by S!Ri) and extract it to your Desktop.

Now run SmitfraudFix.

- Open the SmitfraudFix folder and double-click smitfraudfix.cmd
- Select option #1 - Search by typing 1 and press Enter (a text file will appear, which lists infected files if present).
- Please copy/paste the content of that report into your next reply. (DO NOT ATTEMPT TO FIX ANYTHING AT THIS TIME)
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Download FindAWF by noahdfear and save it to your Desktop.

Double click FindAWF.exe and follow the instructions.
When the tool has finished scanning, the results will be saved as awf.txt on your Desktop.
Copy and paste them into your next reply please, along with the Smitfraudfix log.

#4 leza

New Member

New Member
8 posts

Posted 31 May 2007 - 05:44 AM

gary, this is the first you asked me to send, i tried to send awf but when i run it it seems to freeze on finding duplicate files? i let it run for more than 30 minutes and when i came back it still said finding duplicate files... am i doing something wrong? and thankyou so much for helping me. SmitFraudFix v2.189 Scan done at 7:15:38.14, Thu 05/31/2007 Run from C:\Documents and Settings\HP_Administrator\Local Settings\Temp\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\InterMute\SpySubtract\SpySub.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_ADM~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=" " »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport DNS Server Search Order: 192.168.254.254 HKLM\SYSTEM\CCS\Services\Tcpip\..\{803F7A0B-5193-421F-A7D1-5AA62671832D}: DhcpNameServer=192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{803F7A0B-5193-421F-A7D1-5AA62671832D}: DhcpNameServer=192.168.254.254 HKLM\SYSTEM\CS3\Services\Tcpip\..\{803F7A0B-5193-421F-A7D1-5AA62671832D}: DhcpNameServer=192.168.254.254 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#5 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 31 May 2007 - 08:06 AM

AWF is an infection that removes exe files from your computer and replaces them with malicious duplicates, FindAWF finds which files have been duplicated. Please run it again and let it complete its scan. There are many exe files on your computer so the scan may take some time.

#6 leza

New Member

New Member
8 posts

Posted 31 May 2007 - 10:44 AM

Find AWF report by noahdfear ©2006 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\AIM6\BAK 03/23/2007 05:18 PM 50,736 aim6.exe 1 File(s) 50,736 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\NORTON~1\BAK 08/17/2004 06:36 PM 132,248 cfgwiz.exe 08/30/2004 10:29 PM 33,936 UrlLstCk.exe 2 File(s) 166,184 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 02/16/2007 10:54 AM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\WINDOWS\EHOME\BAK 08/10/2004 02:04 PM 59,392 ehtray.exe 1 File(s) 59,392 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/10/2004 08:00 AM 15,360 ctfmon.exe 11/01/2004 05:22 PM 262,144 ElkCtrl.exe 12/01/2004 01:55 PM 126,976 hkcmd.exe 12/09/2005 03:32 PM 225,280 LVCOMSX.EXE 4 File(s) 629,760 bytes Directory of C:\HP\DRIVERS\HPLSBW~1\BAK 10/14/2004 04:54 PM 253,952 lsburnwatcher.exe 1 File(s) 253,952 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 08/27/2004 07:22 PM 58,488 ccApp.exe 1 File(s) 58,488 bytes Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK 02/26/2005 01:34 AM 245,760 HPBootOp.exe 1 File(s) 245,760 bytes Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK 12/07/2005 10:26 AM 489,472 CameraAssistant.exe 12/07/2005 10:33 AM 73,728 InstallHelper.exe 2 File(s) 563,200 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 04/28/2005 10:13 AM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK 11/03/2004 02:59 AM 218,240 UsrPrmpt.exe 1 File(s) 218,240 bytes Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK 04/13/2007 03:46 PM 171,448 GoogleToolbarNotifier.exe 1 File(s) 171,448 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 50736 Apr 27 2007 "C:\Program Files\AIM6\aim6.exe" 50736 Mar 23 2007 "C:\Program Files\AIM6\bak\aim6.exe" 37669 May 9 2007 "C:\Program Files\Norton Internet Security\cfgwiz.exe" 132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe" 132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\Norton AntiVirus\CfgWiz.exe" 37669 May 9 2007 "C:\Program Files\Norton Internet Security\UrlLstCk.exe" 33936 Aug 30 2004 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe" 37669 May 9 2007 "C:\Program Files\QuickTime\qttask.exe" 282624 Feb 16 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe" 59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe" 15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 37669 May 9 2007 "C:\WINDOWS\system32\ElkCtrl.exe" 262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe" 37669 May 9 2007 "C:\WINDOWS\system32\hkcmd.exe" 126976 Dec 1 2004 "C:\hp\drivers\video_Intel\hkcmd.exe" 126976 Dec 1 2004 "C:\WINDOWS\system32\bak\hkcmd.exe" 126976 Dec 1 2004 "C:\WINDOWS\system32\ReinstallBackups01\DriverFiles\hkcmd.exe" 37669 May 9 2007 "C:\WINDOWS\system32\LVCOMSX.EXE" 225280 Dec 9 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE" 37669 May 9 2007 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" 253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe" 37669 May 9 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" 37669 May 9 2007 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" 245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe" 37669 May 9 2007 "C:\Program Files\Logitech\Video\CameraAssistant.exe" 489472 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe" 1204224 Jan 14 2005 "C:\WINDOWS\SMINST\INSTALL_APP.EXE" 18895728 Apr 13 2007 "C:\Documents and Settings\HP_Administrator\Desktop\Install_Messenger.exe" 37669 May 9 2007 "C:\Program Files\Logitech\Video\InstallHelper.exe" 36864 Apr 20 2004 "C:\Program Files\Online Services\EarthLink\InstallEarthLink.exe" 73728 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe" 180224 Mar 10 2005 "C:\Program Files\Online Services\US_InstallAOL\BB_BYOA\InstallAol.exe" 180224 Mar 10 2005 "C:\Program Files\Online Services\US_InstallAOL\Dial-up\InstallAol.exe" 180224 Mar 10 2005 "C:\Program Files\Online Services\US_InstallAOL\Latino\InstallAol.exe" 180224 Mar 10 2005 "C:\Program Files\Online Services\US_InstallAOL\SMB\InstallAol.exe" 24576 Jul 20 2004 "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\InstallUtil.exe" 15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe" 66670706 Aug 26 2005 "C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 1 for ReasonDemo_304_pc.zip\Install Reason Demo.exe" 18895728 Apr 13 2007 "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE59MFCXYZ\Install_Messenger[1].exe" 8192 Apr 24 2007 "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\FOXDVSGG\installprivacyprotectorfree[1].exe" 37669 May 9 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Apr 28 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 37669 May 9 2007 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" 218240 Nov 3 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" 52272 Apr 13 2007 "C:\Program Files\Google\googletoolbar2user.exe" 138168 Apr 13 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" 37669 May 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" 171448 Apr 13 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" end of report

#7 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 31 May 2007 - 11:43 AM

Thanks Leza, Got to manually compose a fix for the AWF infection, so might be a few hours before I get back to you.

#8 leza

New Member

New Member
8 posts

Posted 31 May 2007 - 11:52 AM

thankyou so much gary, i will check back tonight when i get home from work. Leza

#9 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 31 May 2007 - 12:38 PM

Hi Leza,

Seems I was wrong about the Smitfraud.

OK, lets get started.

Run a scan with HJT, and when finished check the following entries (if found).

O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

O20 - AppInit_DLLs:

O21 - SSODL: mssms - {D0772766-82AF-400A-97F9-7F4F2DCA3ADF} - C:\WINDOWS\mssms.dll

Close all open windows and click Fix Checked to remove them.

Download Pocket Killbox and install it to your Desktop. Do not run it yet.

First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.

C:\WINDOWS\ietools.dll
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\mssms.dll

Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
Click File > Paste from Clipboard.
Click All Files button.
Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
Answer Yes when prompted to Reboot now.

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

@echo off

if exist  "C:\Program Files\AIM6\aim6.exe" del /q  "C:\Program Files\AIM6\aim6.exe"
copy /y  "C:\Program Files\AIM6\bak\aim6.exe" "C:\Program Files\AIM6\aim6.exe"

if exist "C:\Program Files\Norton Internet Security\cfgwiz.exe" del /q "C:\Program Files\Norton Internet Security\cfgwiz.exe"
copy /y "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe" "C:\Program Files\Norton Internet Security\cfgwiz.exe"

if exist "C:\Program Files\Norton Internet Security\UrlLstCk.exe" del /q "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
copy /y "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe" "C:\Program Files\Norton Internet Security\UrlLstCk.exe"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"

if exist "C:\WINDOWS\ehome\ehtray.exe" del /q "C:\WINDOWS\ehome\ehtray.exe" 
copy /y "C:\WINDOWS\ehome\bak\ehtray.exe" "C:\WINDOWS\ehome\ehtray.exe"

if exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe" 
copy /y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"

if exist "C:\WINDOWS\system32\ElkCtrl.exe" del /q "C:\WINDOWS\system32\ElkCtrl.exe" 
copy /y "C:\WINDOWS\system32\bak\ElkCtrl.exe" "C:\WINDOWS\system32\ElkCtrl.exe"

if exist "C:\WINDOWS\system32\hkcmd.exe" del /q "C:\WINDOWS\system32\hkcmd.exe" 
copy /y "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32\hkcmd.exe"

if exist "C:\WINDOWS\system32\LVCOMSX.EXE" del /q "C:\WINDOWS\system32\LVCOMSX.EXE" 
copy /y "C:\WINDOWS\system32\bak\LVCOMSX.EXE" "C:\WINDOWS\system32\LVCOMSX.EXE"

if exist "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" del /q "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
copy /y "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe" "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"

if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"  
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

if exist "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" del /q "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" 
copy /y "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe" "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"

if exist "C:\Program Files\Logitech\Video\CameraAssistant.exe" del /q "C:\Program Files\Logitech\Video\CameraAssistant.exe" 
copy /y "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe" "C:\Program Files\Logitech\Video\CameraAssistant.exe"

if exist "C:\Program Files\Logitech\Video\InstallHelper.exe" del /q "C:\Program Files\Logitech\Video\InstallHelper.exe" 
copy /y "C:\Program Files\Logitech\Video\bak\InstallHelper.exe" "C:\Program Files\Logitech\Video\InstallHelper.exe"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

if exist "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" del /q "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" 
copy /y "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

if exist "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" del /q "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" 
copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"

Click Format and ensure Wordwrap is unchecked.
Save as FixAWF.bat to a place you can find it.
Save as file type All Files or it won't work.
Now double click on FixAWF.bat to run it.

Download AVG Anti-Spyware.

Install AVG Anti-Spyware.
Launch AVG by double-clicking on the icon.
The program will now open to the main screen.
You will need to update AVG to the latest definition files.
At the top of the main screen click Update.
Then in the Manual Update section, click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

Run a scan with AVG.

Click on Scanner
- Click on the Settings tab, and set the following settings.
  - How to act
  - Click on Recommended actions, and set to Quarantine.
- How to scan
  - Check all options.
- Possibly unwanted software.
  - Check all options.
- Reports
  - Check Automatically generate report after every scan.
  - Uncheck Only if threats were found.
- What to scan
  - Check Scan every file.
Click on the Scan tab.
- Click on Complete System Scan and the scan will begin.
- When the scan has finished
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Now send me the AVG report and a new HJT log please.

#10 leza

New Member

New Member
8 posts

Posted 01 June 2007 - 05:36 AM

VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:31:54 AM 6/1/2007

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2724E072-19D0-486d-A819-9D914191AE92} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\VideoExtension -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2724E072-19D0-486d-A819-9D914191AE92} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-2676084004-2092122072-569425895-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2724E072-19D0-486D-A819-9D914191AE92} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\My Documents\My Music\_\.45 2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP34\A0002165.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Symantec Shared\ccApp.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Logitech\Video\CameraAssistant.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Logitech\Video\InstallHelper.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Norton Internet Security\UrlLstCk.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Norton Internet Security\cfgwiz.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP41\A0004352.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP43\A0006462.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP59\A0009163.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ElkCtrl.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\LVCOMSX.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hkcmd.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.146:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.147:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.148:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.149:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.150:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.151:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.35:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.61:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.185:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.186:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.187:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.188:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.189:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.50:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.51:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.52:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.53:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.54:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.55:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.56:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.57:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.58:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.59:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.60:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.194:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.62:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.81:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.82:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.84:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.85:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.86:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.87:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.71:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.73:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@search.live[2].txt -> TrackingCookie.Live : Cleaned.
:mozilla.93:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.209:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.95:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.96:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.97:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.98:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.99:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.158:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.159:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@guide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@music.guide.real[2].txt -> TrackingCookie.Real : Cleaned.
:mozilla.79:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.80:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.191:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.192:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.193:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.195:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.179:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.180:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.181:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.182:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.183:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.184:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.124:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.125:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.126:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.127:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.128:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.18:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.19:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.20:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.21:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.25:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.26:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.27:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.28:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.29:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.94:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.22:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.205:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.206:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.207:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\kkqm6kds.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 7:35:35 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?80760321825d47b7bdfb12cc73bbec99
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?80760321825d47b7bdfb12cc73bbec99
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by140fd.bay14...es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: mssms - {18A02EA6-3B2D-4D4E-AA03-8486F74E3308} - C:\WINDOWS\mssms.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#11 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 01 June 2007 - 09:40 AM

Hi leza,

Looking better.

Looks like you missed one of the HJT entries.

Run a scan with HJT and when finished check the following entry.

O21 - SSODL: mssms - {18A02EA6-3B2D-4D4E-AA03-8486F74E3308} - C:\WINDOWS\mssms.dll (file missing)

Close all open windows and click Fix Checked to remove it.

NOW

Click Start > Run and type cleanmgr then click OK.
This will bring up the Disk Cleanup window.
Check the following entries.
- Temporary Internet Files.
- Recycle Bin.
- Temporary Files.
Click OK.
When a prompt pops up click Yes.

Because of the nature of the infection you had I'd like to do a final check.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (If available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post please, along with a new HJT log.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

#12 leza

New Member

New Member
8 posts

Posted 02 June 2007 - 05:14 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 02, 2007 7:11:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/06/2007
Kaspersky Anti-Virus database records: 336280
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 129430
Number of viruses found: 6
Number of infected objects: 21 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:40:46

Infected Object Name / Virus Name / Last Action
C:\!KillBox\lsasss.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\InterMute\SpySubtract\tmp\3 Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\data\phreakylezza\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\JET577C.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\1V2QIRM1\drf1178781096[1].htm Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP32\A0002111.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP32\A0002112.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009172.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009173.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009174.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009175.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009176.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009177.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009178.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009179.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009180.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009181.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009182.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009183.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009184.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\A0009185.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP60\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C572DF51-7421-4F72-9388-CE461EF16B96}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B34F2937-796F-4492-A5E8-494B0AFF12DA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 7:13:34 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?80760321825d47b7bdfb12cc73bbec99
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?80760321825d47b7bdfb12cc73bbec99
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by140fd.bay14...es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#13 leza

New Member

New Member
8 posts

Posted 02 June 2007 - 05:14 AM

#14 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 02 June 2007 - 08:06 AM

Hi leza,

Lets use Killbox again to remove a couple of files.

First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\1V2QIRM1\drf1178781096[1].htm
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll

Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
Click File > Paste from Clipboard.
Click All Files button.
Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
Answer Yes when prompted to Reboot now.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, download and run missingfilesetup.exe. Then try Killbox again.

Any problems let me know.

Your System Restore Points are infected but provided you don't try to do a system restore you can't be re-infected by them, we'll clear them out in a minute.

NOW, provided you have no problems deleting the two files, it looks like your computer is clear of infection.

Are you still noticing any problems?. If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Update your Java.

Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components. (This is important as you can still be infected through an old Java install even if you're using the current version).

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6u1, and install it to your computer.

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.

Turn off System Restore.
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore.
- Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
- On the Desktop, right-click My Computer.
- Click Properties.
- Click the System Restore tab.
- UN-Check *Turn off System Restore*.
- Click Apply, and then click OK.
NOTE: only do this ONCE, NOTon a regular basis

We need to re hide system files.

To do so, please follow the steps below:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Put a check by "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Do not show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

Updating Windows and Internet Explorer

IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).

Make your Internet Explorer more secure

From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
Make sure these options are set as follows:
- Download signed ActiveX controls to Prompt
- Download unsigned ActiveX controls to Disable
- Initialize and script ActiveX controls not marked as safe to Disable
- Installation of desktop items to Prompt
- Launching programs and files in an IFRAME to Prompt
- Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Press the Apply button and then the OK to exit the Internet Properties page.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

Adaware SE Personal
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
Spybot S & D
Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here
SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here
IE Spyad
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
Hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
- Make sure you read the instructions on how to install the hosts file, here.
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
- Click the start button (at the lower left hand corner of your screen)
- Click run
- In the dialog box, type services.msc
- hit enter, then locate dns client
- Highlight it, then double-click it.
- On the dropdown box, change the setting from automatic to manual.
- Click ok

Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
Computer Safety On line - LIST of free Anti virus programs
Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
See here to choose one.
Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Just a final reminder for you.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Run Spybot and Adaware regularly. (Once a week minimum)
It is important that you visit http://www.windowsupdate.com regularly. This will ensure you always have the latest security updates installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Gary R

The above is a general post I give when someone's computer is clean. Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

Keep secure.

Gary R

Finally, can you remove the follwing programmes from your computer. They are of no use for general Malware removal and may damage your computer if used inappropriately.

Killbox
SmitfraudFix
FindAWF
FixAWF.bat

Edited by Gary R, 02 June 2007 - 08:09 AM.

#15 leza

New Member

New Member
8 posts

Posted 02 June 2007 - 10:27 AM

things seem to be good so far, and thankyou for your help,it was greatly appreciated

Body Background

skin color theme