1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: A Nasty Attack

Discussion in 'Virus & Other Malware Removal' started by rstoddard, Aug 5, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    I've heard of these, but this is my first personal experience with one. Something has hijacked my e-mail and is trying to send those "fishing" messages. You know, the ones that say that the bank needs info to update your account or some dictator in Africa has died and needs a place for his money? Well, I don't use Outlook (I use an external mail service provided by my IP), so the mail is going no where. The problem is that my virus program tries to scan each and every piece of mail. Both Norton (which I uninstalled) and Panda (which I tried to solve this problem--no luck) become confused. The result is that my system is slowed down and Panda indicates that protection is at a low level and I should re-boot. So, I do and the same thing happens again. I've tried contacting Panda technical support on this, but my messages come back as undeliverable. So, here I am at good old reliable Tech Support Guy Forums. This might go beyond just Panda. Attached is a HijackThis log. Any suggestions, anyone? Thanks in advance for your help. ;)
     

    Attached Files:

  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.
     
  3. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    O.K., here they are. I got a message from Panda while the fix was running. It may have blocked part of it.
     

    Attached Files:

  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download KillBox.

    Save it to your desktop.
    DO NOT run it yet.

    * Click here to download Webroot SpySweeper.

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post (not attach) a new Hijack This log.
     
  5. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    Problem: When I click on the SpySweeper link, I get the message "document contains no data." I've also tried going directly to Webroot's website. I click on the free trial link there, and I get the same message. Also tried through Downloads.com and Google. Same message. Must be the same link. I have an old setup file for SpySweeper, but when I install it, it indicates the the time has expired and it won't work. So, I click on "buy now," and it says, "the document contains no data." Again, must be the same link. Maybe it's only temporary? Is there any other way to get this program? Thanks again for your efforts.
     
  6. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    O.K., update: I located an even older version (2005) of SpySweeper in my program set-up files. It installed fine, but I cannot update the definitions. It cannot connect to the server; obviously, there is something wrong at Webroot. I will try again later. Of course, I DO need to update the definitions, right?
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    If it needs to be run without the latest definitons, that's fine.
     
  8. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    O.K. I don't know what's with Webroot. Every page on their website "contains no data." I even tried calling them, and all I get is put on hold with some nice jazz music playing. I really would like to purchase Spysweeper, but I guess I'm out of luck. Any way, I did a sweep with the old program, which did finally update the latest definitions (I think). However, it does not have some of the preferences that you asked to be checked. It does not have "sweep cookies," "enable direct disk sweeping," "sweep contents of compressed files," nor "sweep for rootkits."

    So, here is the session log:

    08:15 AM: |··· Start of Session, Sunday, August 06, 2006 ···|
    08:15 AM: Spy Sweeper 3.2.0 (Build 147) started
    08:16 AM: Updating spyware definitions
    08:16 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
    08:22 AM: Updating spyware definitions
    08:23 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
    08:27 AM: Processing Startup Alerts
    08:27 AM: 08:44 AM: |··· Start of Session, Sunday, August 06, 2006 ···|
    08:44 AM: Spy Sweeper 3.2.0 (Build 147) started
    09:15 AM: Your spyware definitions have been updated.
    02:35 PM: |··· End of Session, Sunday, August 06, 2006 ···|
    02:39 PM: |··· Start of Session, Sunday, August 06, 2006 ···|
    02:39 PM: Spy Sweeper 3.2.0 (Build 147) started
    12:01 AM: 12:03 AM: |··· Start of Session, Monday, August 07, 2006 ···|
    12:03 AM: Spy Sweeper 3.2.0 (Build 147) started
    12:06 AM: 12:08 AM: |··· Start of Session, Monday, August 07, 2006 ···|
    12:08 AM: Spy Sweeper 3.2.0 (Build 147) started
    12:14 AM: 10:00 AM: |··· Start of Session, Monday, August 07, 2006 ···|
    10:00 AM: Spy Sweeper 3.2.0 (Build 147) started
    10:24 AM: Sweep initiated using definitions version 734
    10:24 AM: Sweeping memory for active spyware.
    10:24 AM: Memory sweep has completed. Elapsed time 00:00:08
    10:24 AM: Registry sweep initiated.
    10:24 AM: Found: 1 Trojan-Backdoor-Adagoe registry traces.
    10:25 AM: Found: 12 Trojan-Downloader-Zlob registry traces.
    10:25 AM: Registry sweep completed. Elapsed time 00:01:12
    10:25 AM: Full sweep on all local drives initiated.
    10:25 AM: Now sweeping drive C:
    10:26 AM: Found Cookie: 123count Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: WebSponsors Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: About Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: AdProfile Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Tacoda Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: Ask Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Atlas DMT Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Commerce Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: CoolSavings Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Customer Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Overture Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: go2net.com Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: About Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: HomeStore Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: hypertracker.com Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: InfoSpace Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: MyGeek Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Nextag Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: Pricegrabber Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: Reunion Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: CoolSavings Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: TvGuide Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Tacoda Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: Trb.com Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: TvGuide Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: Web-Stat Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: BurstNet Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: Redzip Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: RxGenericDrugs Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:26 AM: Found Cookie: UpSpiral Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:26 AM: Found Cookie: TenDollars Cookie, version 1, c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:37 AM: Found Adware: Kill & Clean Scanner and Monitor, version 1, c:\windows\system32\{b3656ef8-dc8d-421c-a158-ed56298d82a4}.exe
    10:37 AM: Found: 36 file traces.
    10:37 AM: Full Sweep has completed. Elapsed time 00:14:15
    59,379 files swept
    49 spyware traces located
    10:45 AM: Removal process initiated
    10:45 AM: Quarantining: 123count Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: About Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: AdProfile Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: Ask Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: BurstNet Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Commerce Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Customer Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: go2net.com Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: HomeStore Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: InfoSpace Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: MyGeek Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: Pricegrabber Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Redzip Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Reunion Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: RxGenericDrugs Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Trb.com Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: TvGuide Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: UpSpiral Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected]al[1].txt
    10:45 AM: Quarantining: Web-Stat Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: WebSponsors Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Nextag Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: hypertracker.com Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: TenDollars Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: Tacoda Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][2].txt
    10:45 AM: Quarantining: Overture Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: CoolSavings Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: Trojan-Backdoor-Adagoe
    10:45 AM: Registry: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run||winmedia
    10:45 AM: Quarantining: Atlas DMT Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: 2o7.net Cookie
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Cookie: c:\documents and settings\hp_administrator\cookies\[email protected][1].txt
    10:45 AM: Quarantining: Kill & Clean Scanner and Monitor
    10:45 AM: File: c:\windows\system32\{b3656ef8-dc8d-421c-a158-ed56298d82a4}.exe
    10:45 AM: Quarantining: Trojan-Downloader-Zlob
    10:45 AM: Registry: HKEY_CLASSES_ROOT\media-codec.chl
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\media-codec.chl
    10:45 AM: Registry: HKEY_CLASSES_ROOT\vsenchancer.chl
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\vsenchancer.chl
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\vsenchancer.chl\clsid
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\vsenchancer.chl\clsid||(-default-)
    10:45 AM: Registry: HKEY_CLASSES_ROOT\vsenchancer.chl\clsid
    10:45 AM: Registry: HKEY_CLASSES_ROOT\vsenchancer.chl\clsid||(-default-)
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\media-codec.chl\clsid
    10:45 AM: Registry: HKEY_LOCAL_MACHINE\software\classes\media-codec.chl\clsid||(-default-)
    10:45 AM: Registry: HKEY_CLASSES_ROOT\media-codec.chl\clsid
    10:45 AM: Registry: HKEY_CLASSES_ROOT\media-codec.chl\clsid||(-default-)
    10:45 AM: Cleaning Traces
    10:45 AM: Removing registry: HKEY_CLASSES_ROOT\vsenchancer.chl\clsid
    10:45 AM: Removing registry: HKEY_CLASSES_ROOT\vsenchancer.chl
    10:45 AM: Removing registry: HKEY_CLASSES_ROOT\media-codec.chl\clsid
    10:45 AM: Removing registry: HKEY_CLASSES_ROOT\media-codec.chl
    10:45 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\vsenchancer.chl\clsid
    10:45 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\vsenchancer.chl
    10:45 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\media-codec.chl\clsid
    10:45 AM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\media-codec.chl
    10:45 AM: Removing registry: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run|| (winmedia)
    10:45 AM: Removing file: c:\windows\system32\{b3656ef8-dc8d-421c-a158-ed56298d82a4}.exe
    10:45 AM: Removal process completed. Elapsed time 00:00:01
    31 items (49 traces) quarantined.


    And, here is the latest HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:47:43 AM, on 8/7/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Documents and Settings\HP_Administrator\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masslive.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.masslive.com
    R3 - Default URLSearchHook is missing
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {AD34AA71-F36B-6160-7CE6-4BD40C5CB10D} - C:\WINDOWS\wqjte1.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Winsvr] C:\WINDOWS\f41.exe5120.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://www.comcastsupport.com/sdccommon/download/ssrc.cab
    O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://www.comcastsupport.com/sdccommon/download/sprtctlln.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AB6E7B0-FD5A-49EE-8289-4767CDF7D530}: NameServer = 85.255.115.28,85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24C35E9D-43DE-47B3-8C8D-C6AC403DF807}: NameServer = 85.255.115.28,85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F29BC04F-FAAD-46E9-BC39-5B3AB5B565D8}: NameServer = 85.255.115.28,85.255.112.196
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.28 85.255.112.196
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AB6E7B0-FD5A-49EE-8289-4767CDF7D530}: NameServer = 85.255.115.28,85.255.112.196
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.28 85.255.112.196
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
    O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
    O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
    O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
    O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    I hope this suffices. I don't know why I can't get through to Webroot. I'll keep trying. Thanks for your help!(y)
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {AD34AA71-F36B-6160-7CE6-4BD40C5CB10D} - C:\WINDOWS\wqjte1.dll (file missing)

    O4 - HKCU\..\Run: [Winsvr] C:\WINDOWS\f41.exe5120.exe

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AB6E7B0-FD5A-49EE-8289-4767CDF7D530}: NameServer = 85.255.115.28,85.255.112.196

    O17 - HKLM\System\CCS\Services\Tcpip\..\{24C35E9D-43DE-47B3-8C8D-C6AC403DF807}: NameServer = 85.255.115.28,85.255.112.196

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F29BC04F-FAAD-46E9-BC39-5B3AB5B565D8}: NameServer = 85.255.115.28,85.255.112.196

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.28 85.255.112.196

    O17 - HKLM\System\CS1\Services\Tcpip\..\{0AB6E7B0-FD5A-49EE-8289-4767CDF7D530}: NameServer = 85.255.115.28,85.255.112.196


    Close Hijack This.

    * Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

    Double-click the Network Connections icon
    Right-click the Local Area Connection icon and select Properties.
    Higlight Internet Protocol (TCP/IP) and click the Properties button.
    Be sure Obtain DNS server address automatically is selected.
    OK your way out.

    * Go to Start > Run and type in cmd
    Click OK.
    This will open a command prompt.
    Type or copy and paste the following line in the command window:

    ipconfig /flushdns

    Hit Enter.
    Exit the command window.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\WINDOWS\f41.exe5120.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    Post a new Hijack This log.
     
  10. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    O.K., here's the latest HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:36:00 PM, on 8/7/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Documents and

    Settings\HP_Administrator\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&

    bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]

    HDAShCut.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital

    Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot

    Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LSBWatcher]

    c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

    Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program

    Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

    Sweeper\SpySweeper.exe" /0
    O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
    O4 - Global Startup: GoBack.lnk = C:\Program

    Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

    Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates

    from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft

    RemoteControl Class) -

    http://www.comcastsupport.com/sdccommon/download/ssrc.cab
    O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener

    Control) -

    http://www.comcastsupport.com/sdccommon/download/sprtctlln.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX

    Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

    uweb_site.cab?1154979291375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

    Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: avldr - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service

    (LightScribeService) - Hewlett-Packard Company - C:\Program

    Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation -

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    (You'll notice that I nixed Panda and reinstalled my old programs: AVG and Zone Alarm. It was blocking too many of my applications.)

    How's it look now? (The system seems to be running much quicker now.:) )
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Looks good (y)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer.

    Turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  12. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    All would be well, BUT...AVG indicates these two nasties still present:

    C:\WINDOWS\f41.exe3072.exe
    and
    C:\WINDOWS\hp3.exe3072.exe

    Both identified as Trojan horse Downloader.Generic2.FAG

    Furthermore, AVG seems only to be able to identify them, not remove or heal them. I know that sometimes these things are imbedded and you need to go in and delete them manually, but I can't even find them on my computer. Here's another HijackThis scan to be sure:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:36:28 PM, on 8/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and

    Settings\HP_Administrator\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&

    bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com
    R3 - Default URLSearchHook is missing
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {AD34AA71-F36B-6160-7CE6-4BD40C5CB10D} -

    C:\WINDOWS\wqjte1.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]

    HDAShCut.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital

    Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot

    Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LSBWatcher]

    c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

    Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program

    Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

    Sweeper\SpySweeper.exe" /0
    O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
    O4 - Global Startup: GoBack.lnk = C:\Program

    Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

    Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates

    from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft

    RemoteControl Class) -

    http://www.comcastsupport.com/sdccommon/download/ssrc.cab
    O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener

    Control) -

    http://www.comcastsupport.com/sdccommon/download/sprtctlln.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX

    Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

    uweb_site.cab?1154979291375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

    Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: avldr - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service

    (LightScribeService) - Hewlett-Packard Company - C:\Program

    Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation -

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    What do you think? Is AVG hallucinating?
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Go here and do the BitDefender online virus scan.
    • Click "I Agree" to agree to the EULA.
    • Allow the ActiveX control to install when prompted.
    • Click "Click here to scan" to begin the scan.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on "Click here to export the scan results"
    • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..
     
  14. rstoddard

    rstoddard Thread Starter

    Joined:
    Mar 23, 2004
    Messages:
    198
    O.K., attached is the BitDefender file. As you can see, there is still an infection. Below is the latest HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:32:52 PM, on 8/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Documents and

    Settings\HP_Administrator\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&

    bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q40

    5&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.masslive.com
    R3 - Default URLSearchHook is missing
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {AD34AA71-F36B-6160-7CE6-4BD40C5CB10D} -

    C:\WINDOWS\wqjte1.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]

    HDAShCut.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital

    Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot

    Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LSBWatcher]

    c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

    Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program

    Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

    /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

    Sweeper\SpySweeper.exe" /0
    O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
    O4 - Global Startup: GoBack.lnk = C:\Program

    Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

    Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates

    from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

    %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

    {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

    missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help -

    {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca

    ,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script

    Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
    O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft

    RemoteControl Class) -

    http://www.comcastsupport.com/sdccommon/download/ssrc.cab
    O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener

    Control) -

    http://www.comcastsupport.com/sdccommon/download/sprtctlln.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX

    Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

    Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

    uweb_site.cab?1154979291375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

    Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: avldr - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service

    (LightScribeService) - Hewlett-Packard Company - C:\Program

    Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation -

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe



    I had to save the BitDefender as a text file to attach it. The website wouldn't allow HTML as it was originally saved as. I hope thta this is o.k.
     

    Attached Files:

  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    The Hijack This log is hard to read.
    Please rescan with Hijack This.
    When the log opens in Notepad, go to Format and select Wordwrap.
    Then copy and paste the log here.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Nasty Attack
  1. alaf
    Replies:
    1
    Views:
    535
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/489592

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice