Trojan.Win32.StartPage.io

[lindseyschlabac]

Logfile of HijackThis v1.99.1
Scan saved at 9:30:58 AM, on 5/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\jawa32.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [me69N] C:\WINDOWS\Bbabc835.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [pmr] C:\Program Files\Common Files\Presentia\pmr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136832176562
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Winkpk - Unknown owner - C:\WINDOWS\System32\Winkpk.exe (file missing)

[AbstractEpiphany]

Hi and welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

[AbstractEpiphany]

Hello again lindseyschlabac, and thank you for your patience.

Before You Begin...
Please print out this page or copy it to Notepad to help you carry out the following instructions. Make sure to work through the fixes in the exact order they are mentioned below, and if there's anything that you don't understand, please ask any questions you may have before proceeding with the fix. You should not have any browsers or windows open, other than the programs mentioned in the fix, when you are following the procedures below.

View Hidden and System Files
Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show hidden files and folders. Uncheck Hide protected operating system files (recommended), and make sure to uncheck Hide file extensions for known file types. Click OK.

Download Tools
Please download Cleanup! or use this alternate link if the main link does not work and install it. You will use this later.
NOTE: Do not run this program if you have XP Professional 64 bit edition. If you are unsure as to whether or not you have a 64 bit version of XP, please download and run this tool: http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Download Ewido Security Suite.

• Install Ewido Security Suite
• When installing, under Additional Options uncheck:
  • Install background guard
  • Install scan via context menu
• Double-click the icon on desktop to launch Ewido
• On the left hand side of the main screen, click Update
• Then click on the Start Update button. The update will start and a progress bar will show the updates being installed.
• After it has finished, close Ewido, we will use it later.

If you have problems with the updater, you can use the Ewido manual updater instead of the automatic updater.

Restart to Safe Mode
Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu.

Disable Services

1. Go to Start -> Run. Type in services.msc and click OK
2. Locate the Winkpk service. Double-click on it to open the properties dialogue.
3. On the General tab:
   • Click the Stop button.
   • In the Startup Type dropdown, select Disabled
   • Write down the service name that appears next to the Service Name heading
4. Hit Apply, and then OK.
5. Open Hijackthis and click on Config, then go to the Misc Tools
6. Select Delete an NT Service...
7. In the popup box that appears, type in the service name that you wrote down earlier and click the OK button.

Uninstall Programs
Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist):

Presentia
WildTangent is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.
Market Browser whose End User Agreement states: “We may use third party network advertisers such as DoubleClick to deliver ads to you on our behalf. We may also use third-party service providers to contact you on our behalf, or facilitate some aspects of our Web site services or fulfill your purchase requests. These network advertisers and service providers may be supplied with or have access to your personally identifiable information solely for the purpose of providing these services to us or on our behalf. Except as specifically set forth in this Privacy Policy, we will not share your personally identifiable information outside of LMT or MarketBrowser sponsors, unless you opt in to having your personally identifiable information shared with a company that is not affiliated with us.”

Do not reboot if prompted by the uninstallers.

Fix HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\system32\cdsm32.dll
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [me69N] C:\WINDOWS\Bbabc835.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [pmr] C:\Program Files\Common Files\Presentia\pmr.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O20 - AppInit_DLLs:
O23 - Service: Winkpk - Unknown owner - C:\WINDOWS\System32\Winkpk.exe (file missing)

Please remember to close all other windows (including browsers) then click Fix checked.

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\cdsm32.dll
C:\Program Files\WildTangent\
C:\WINDOWS\Bbabc835.exe
C:\WINDOWS\fash.exe
C:\WINDOWS\aqadcup.exe
C:\WINDOWS\jawa32.exe
C:\Program Files\Common Files\Presentia\
C:\Program Files\MarketBrowser\

Let me know if you can't find or delete them.

CleanUp!
NOTE: Cleanup deletes EVERYTHING out of temporary folders and does not make backups. If you have any files in your temporary folders you want to keep, move them now!

Open Cleanup! by double-clicking the icon on your desktop (or from Start -> All Programs). Set the program up as follows:

• Click Options
• Move the slider button down to Custom CleanUp!
• Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
• Click on Temporary Files and make sure the following is unchecked:
  • Scan drives for file matching

Click OK, Press the CleanUp! button to start the program. Do not reboot when prompted.

Ewido
Close all open windows and please do not open any new windows during the course of this scan. Open Ewido.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans, Ewido is finding cases of false positives. You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.
• Close Ewido

NOTE: The Ewido scan will require at least an hour to run.

Restart to Normal Mode
Restart your system normally.

Scan with Panda ActiveScan
Perform an online scan with Internet Explorer with Panda ActiveScan (click on the Free To Use ActiveScan located on the top right hand corner).

1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it!
2. Enter your e-mail address, country, and state & click Scan Now. The download of the 8 MB Panda's ActiveX control will now take place.

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

NOTE: You don't need to remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Please turn off the real time scanners of any antivirus programs on your system while performing the online scan.

Logfiles Required
The Ewido logfile
The Panda ActiveScan report
A new HiJackThis log

And please advise as to how your system is running.

[lindseyschlabac]

I was able to unistall the web tangent games but there is another one that was called web tangeant web driver that gave me an error message that I cannont unistall it

[lindseyschlabac]

I took a screen shot of the error. I was wandering if I should go on with the list that you gave me or do you have some other suggestion as to how I could unistall the web tageant driver.

I am already logged in as the administrator so I don't understand why I am getting the below error message.

[lindseyschlabac]

I downloaded and ran a wild Tangent Driver Removal tool from here

http://www.pchell.com/downloads/WTRemover.exe and it said everything was removed but I still had the Wild Tangent Web Driver show up in the add and remove programs, so I still don't know what to do to get rid of it. Any idea's? I will keep trying. Thanks

[AbstractEpiphany]

Please proceed with the remainder of my instructions for now concerning the other malware on your system, and we'll take care of the WildTangent Web Driver uninstall entry in the next steps.

[lindseyschlabac]

Alright the first post is a picture of an error message I received when running Hijack this. I think it couldn't remove something.


Below are the Ewido, Panda and New HJT Logs, thanks


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:04:15 AM, 5/22/2006
+ Report-Checksum: 1BD6F1E7

+ Scan result:

HKLM\SOFTWARE\Classes\DefaultSearch.SeekSeek -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\DefaultSearch.SeekSeek\CLSID -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\DefaultSearch.SeekSeek\CurVer -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\DefaultSearch.SeekSeek.1 -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkMakerFilter -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkMakerFilter\CLSID -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkMakerFilter.1 -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkTracker -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkTracker\CLSID -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\LinkMaker.LinkTracker.1 -> Adware.LinkMaker : Cleaned without backup
HKLM\SOFTWARE\Classes\URLLauncher.URLLauncherControl -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\URLLauncher.URLLauncherControl\CLSID -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\URLLauncher.URLLauncherControl\CurVer -> Adware.SeekSeek : Cleaned without backup
HKLM\SOFTWARE\Classes\URLLauncher.URLLauncherControl.1 -> Adware.SeekSeek : Cleaned with backup
HKLM\SOFTWARE\Classes\URLSearch.URLSearch -> Adware.SeekSeek : Cleaned with backup
HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CLSID -> Adware.SeekSeek : Cleaned with backup
HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CurVer -> Adware.SeekSeek : Cleaned with backup
HKLM\SOFTWARE\Classes\URLSearch.URLSearch.1 -> Adware.SeekSeek : Cleaned with backup
HKLM\SOFTWARE\slmss -> Adware.SecondThought : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1422\A0541975.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542061.exe -> Downloader.Minstaller : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542062.dll -> Adware.PowerStrip : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542063.exe -> Adware.PowerStrip : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542064.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542065.ocx -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542068.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542427.exe -> Backdoor.Agent.dg : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542428.exe -> Backdoor.Agent.co : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542429.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542435.dll -> Hijacker.StartPage.io : Cleaned with backup
C:\WINDOWS\hyxx8407.dll -> Hijacker.Agent.i : Cleaned with backup
C:\WINDOWS\iesearch.dll -> Hijacker.StartPage.io : Cleaned with backup
C:\WINDOWS\jawa32.ocx -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\omdsn.dll_ -> Hijacker.StartPage.io : Cleaned with backup
C:\WINDOWS\SYSTEM32\brix6ie.ocx -> Adware.Coupons : Cleaned with backup


::Report End



_______________________________________________________________


Incident Status Location

Adware:adware/powerstrip Not disinfected c:\windows\system32\lmd.bin
Adware:adware/portalscan Not disinfected c:\windows\jawa32e.bin
Spyware:spyware/linkreplacer Not disinfected Windows Registry
Adware:adware/coupons Not disinfected Windows Registry
Adware:adware/virtualbouncer Not disinfected Windows Registry
Adware:adware/seekseek Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe





Logfile of HijackThis v1.99.1
Scan saved at 5:01:46 AM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136832176562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[AbstractEpiphany]

Hello again lindseyschlabac!

Quote:

Alright the first post is a picture of an error message I received when running Hijack this. I think it couldn't remove something.

The error appears to report that it removed the entry properly, but couldn't make a backup of it due to incorrect parameters. Your latest HJT log confirms that the entry was successfully removed. The error is nothing to worry about, as that entry will not need to be restored.

Just a few more things to finish up.

Remove WildTangent's Uninstall Entry

• Open Hijackthis, and click on Config
• Click on Misc Tools
• Go to Uninstall Manager
• Scroll down and click once on the WildTangent Web Driver entry to highlight it, and then hit the Delete this entry button
• Close Hijackthis

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

c:\windows\system32\lmd.bin
c:\windows\jawa32e.bin

Let me know if you can't find or delete them.

If the files will not delete properly in normal mode, boot to safe mode and delete them from there, and then boot back to normal mode and proceed with the remainder of the fix.

Scan with Kapersky
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Answer Yes when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button and configure to:
  • Scan using the following Anti-Virus Database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logfiles Required
The Kapersky log
A fresh HijackThis log

And please let me know how your computer is functioning.

[lindseyschlabac]

Thanks for the response,

You asked how the computer is running. It seems a bit snappier then what it was before we started. It still is a bit sluggish compared to my other computer. Like when clicking on the start menu are starting up windows explorer. Also I get this error message box with nothing in it whenever I reboot. I don't know if it means anything to you are not.



Below are the logs

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, May 24, 2006 4:30:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 24/05/2006
Kaspersky Anti-Virus database records: 195970
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48993
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:07:56

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542643.dll Infected: Trojan-Clicker.Win32.Agent.i skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542644.dll Infected: Trojan.Win32.StartPage.io skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542645.ocx Infected: not-a-virus:AdWare.Win32.Suggestor.a skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1423\A0542646.ocx Infected: not-a-virus:AdWare.Win32.Coupons.d skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 4:33:53 AM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136832176562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks again,

[lindseyschlabac]

Bump!

[Ried]

Hello,

AbstractEpiphany is away from the computer for while. Let's continue.

Did this error box begin popping up after you used that tool to uninstall WildTangent?

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

[lindseyschlabac]

NO this error box was showing up before wild tangeant


Ad-aware 6 Personal
Adobe Download Manager 2.0 (Remove Only)
Advanced Drawing
AOL Connectivity Services
Atomic Pop
Blasterball Wild
ClamWin Free Antivirus 0.88.2.3
CleanUp!
ClickArt 250,000 Premier Image Pack
ClickArt® Gallery
Dark Orbit
Detto IntelliMover
Easy Internet Sign-up
ewido anti-malware
GemMaster 2
HijackThis 1.99.1
hp center
hp deskjet 845c series (Remove only)
HP Instant Support
HP Learning Adventure
Inactive HP Printer Drivers (Remove only)
Kaspersky On-line Scanner
KazooStudio
KBD
KODAK Picture CD
Lernout & Hauspie TruVoice American English TTS Engine
MathPlayer
McAfee.com Agent
McAfee.com VirusScan Online
Microsoft Data Access Components KB870669
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Picture It! Express 7.0
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MSN
MSN Connection Center
MSN Encarta Plus Support Files
MSN Messenger 7.0
MUSICMATCH Jukebox
My Photo Center
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PC-Doctor for Windows
PigPen
Pradis 5.0
PrintMaster Express
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
RealPlayer Basic
RingMaster from Hewlett-Packard Desktops (remove only)
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
SabreWing 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Shockwave
Sonic Foundry Super Duper Music Looper XPress
Space Rocks
Speedway
Spybot - Search & Destroy 1.2
Tcl 8.0.5 for Windows
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Viewpoint Media Player (Remove Only)
War Games Virtual Warfare Demo
WeatherBug
Windows Blaster Worm Removal Tool (KB833330)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy

[Ried]

Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in eventvwr <Press Enter>




This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

1. In the left pane click on Application.
2. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
   Look for “Error” & double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem.
3. Make note of the Description, EventID and Source of these Event Properties.
4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below
   
   
   
   
5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
   There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

[lindseyschlabac]

Here are the error messages.



Here are the application events


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 5/29/2006
Time: 4:56:51 PM
User: N/A
Computer: PIZZA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000 Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 5/24/2006
Time: 2:57:51 AM
User: N/A
Computer: PIZZA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 5/22/2006
Time: 3:31:42 AM
User: N/A
Computer: PIZZA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 5/22/2006
Time: 2:59:13 AM
User: N/A
Computer: PIZZA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 5/20/2006
Time: 10:09:50 AM
User: N/A
Computer: PIZZA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000


Below is the error files for the system


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 5/29/2006
Time: 5:02:57 PM
User: N/A
Computer: PIZZA
Description:
The McAfee.com VirusScan Online Realtime Engine service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10000
Date: 5/29/2006
Time: 5:02:21 PM
User: PIZZA\Owner
Computer: PIZZA
Description:
Unable to start a DCOM Server: {EFFA8CA5-3839-11D5-A9DB-0010B5439657}. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\PROGRA~1\HPCENT~1\137903\Program\BACKWE~1.EXE -Embedding

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10000
Date: 5/29/2006
Time: 5:02:21 PM
User: PIZZA\Owner
Computer: PIZZA
Description:
Unable to start a DCOM Server: {EFFA8CA5-3839-11D5-A9DB-0010B5439657}. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\PROGRA~1\HPCENT~1\137903\Program\BACKWE~1.EXE -Embedding

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 5/29/2006
Time: 4:57:54 PM
User: N/A
Computer: PIZZA
Description:
Error code 10000050, parameter1 c8c40000, parameter2 00000000, parameter3 80599d52, parameter4 00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 35 1000005
0020: 30 20 20 50 61 72 61 6d 0 Param
0028: 65 74 65 72 73 20 63 38 eters c8
0030: 63 34 30 30 30 30 2c 20 c40000,
0038: 30 30 30 30 30 30 30 30 00000000
0040: 2c 20 38 30 35 39 39 64 , 80599d
0048: 35 32 2c 20 30 30 30 30 52, 0000
0050: 30 30 30 30 0000



Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 5/29/2006
Time: 4:57:42 PM
User: N/A
Computer: PIZZA
Description:
The McAfee.com VirusScan Online Realtime Engine service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[Ried]

These errors are not malware related. My suggestion is to post in the Windows XP section. Explain the error to them giving as much detail as possible, along with providing these Event Viewer logs. Also let them know you've been cleared in the HijackThis forum.

The Spybot program installed on this system is terribly outdated.

Download Spybot Search & Destroy 1.4 Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button on top to Immunize your computer - you should do this each time there is an update. Click 'Check for Problems' and fix all the entries, which are indicated in RED.

I am hesitant to flush your System Restore until you're issue is resolved in Windows XP. Once that error is resolved, you'll want to clear your System Restore and set a new Restore point.

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

-------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.
More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4


Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

[lindseyschlabac]

Reid, I got the blank error message taken care of. Also thanks for telling me that my Spy bot was out of date. I kept running the check update on the internet and thought it was not longer being updated but here I wasn't on the latest version. I ran the new version 1.4 with all the updates and it took a bunch of junk out. It is now running faster then ever. I decided to post a new HJT log to see if maybe all the junk is out before doing the steps in the above post.

Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 10:30:34 AM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highstream.net/members/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136832176562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Ried]

Hi lindsey,

Good, I'm glad you've gotten that issue resolved.

Everything look real good. You can proceed with those final instructions now, including the reset of System Restore.