Screensaver Doesn't Work

[ZLRAC]

Help... not sure how it happened, but if I pick a screensaver, the next time I turn my computer on, it defaults back to (none.) How do I get it to stop doing this? I think a screensaver management type program may have caused this at some point but I'm not sure which one. I run XP... I've got Ad-Aware, Spybot, Process Guard, Winpatrol, Spycatcher, and Spyware Blaster... So I'm pretty well protected and scans aren't showing anything... Please see the attached hijackthis file if that helps. Let me know if anything else looks suspicious or would improve my system.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:49 PM, on 7/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mightyfax\MFNTCTL.EXE
C:\Program Files\ONSPEED\onspeedgui.exe
C:\Program Files\SpyCatcher 2006\Protector.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\ZipGenius 6\zipgenius.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ZGTemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com/iyt.dll?status??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Carl's Web Connection
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
O4 - HKLM\..\Run: [keepitup] C:\Program Files\KEEPITUP!\keepitup.exe
O4 - HKLM\..\Run: [CleanDisk] C:\Yenicag\CleanDisk\clean.bat
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraConverter.exe -t
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: TempCleaner.lnk = C:\Program Files\TempCleaner\TempCleaner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{30967180-DD4B-4F87-B792-BD709427AEEC}: NameServer = 64.136.173.8 64.136.164.66
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\iycvid.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Please copy all logs into your replies it makes it easier on the analysts. Thanks!

[ZLRAC]

Thanks. I'm new to this site and wasn't aware that hijackthis log files should just be pasted.

[Ried]

Hello ZLRAC and welcome to TSF,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************

Before we begin, please move HiJackThis to it's own folder, like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

**********************************************************

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.



Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).


Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When it re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt along with any other reports requested.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.

------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist:

R3 - URLSearchHook: (no name) - <default> - (no file)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\iycvid.dll (file missing)
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)


Click 'Fix Checked' and close HijackThis.

-----------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please include the following in your next reply:

Look2Me-Destroyer.txt
Ewido results
Panda results
New HijackThis log

[ZLRAC]

Whew! Ried that is a lot of stuff, but I'll give it a shot. Thanks!

[Ried]

Trust me, all those steps will be well worth your trouble.

[ZLRAC]

Wow! I'm amazed. I thought my system was really well protected and fully optimized, (did this after applying every applicable hack and tweak from a book on XP hacks and tweaks) however the programs you had me run found and fixed a lot of stuff that my usual defenses hadn't caught. Also, it's probably too early to tell and it could be my imagination; but my pages in Firefox seem to be loading a lot faster.

Anyway, here are the results you asked me to post...
Look2Me-Destroyer.txt
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/13/2006 1:16:04 AM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded

Ewido results
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:58:25 AM 7/13/2006
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB00429.XBTB00429Toolbar -> Adware.CramToolbar : Cleaned with backup (quarantined).
C:\Program Files\Warez P2P Client\apwrz.exe -> Adware.Lop : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\My Downloads\CWS.exe/VVSNInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\My Documents\My Downloads\emgk172c.exe/run.exe -> Downloader.IstBar.is : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\Desktop\WarezP2P_CWS.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Downloads\WarezP2P.exe -> Downloader.Small : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.269:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.270:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.254:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.198:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.158:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.159:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.263:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end

Panda results
Incident Status Location
Adware:adware/dollarrevenue Not disinfected c:\windows\winsysupd71.dat
Adware:adware/oemji Not disinfected Windows Registry
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt[.target.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt[.realmedia.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\0c6dymjx.Carl Z\cookies.txt[.belnk.com/]
Adware:Adware/CramToolbar Not disinfected C:\Documents and Settings\HP_Owner\My Documents\My Downloads\activate_crack.exe[untitled1.dll]
Virus:Trj/Zorro.A Disinfected C:\Downloads\CrucialScan.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\StripSaver2\Windows.dll
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\StripSaver2\WindowsEx.dll

New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 9:11:05 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mightyfax\MFNTCTL.EXE
C:\Program Files\ONSPEED\onspeedgui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ZipGenius 6\zipgenius.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ZGTemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com/iyt.dll?status??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Carl's Web Connection
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
O4 - HKLM\..\Run: [keepitup] C:\Program Files\KEEPITUP!\keepitup.exe
O4 - HKLM\..\Run: [CleanDisk] C:\Yenicag\CleanDisk\clean.bat
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraConverter.exe -t
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: TempCleaner.lnk = C:\Program Files\TempCleaner\TempCleaner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30967180-DD4B-4F87-B792-BD709427AEEC}: NameServer = 64.136.173.8 64.136.164.66
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Now what?

[Ried]

Hello ZLRAC,

Quote:

it could be my imagination; but my pages in Firefox seem to be loading a lot faster.

It's not your imagination.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

*********************************************************

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Please download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet.

Download fl.zip

Do not do anything with these yet!

---------------------------------------------------------------------

Please disable the following program(s) as they may interfere with the fixes below. You may re-enable them when we are through:

TeaTimer

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.
• See this link for a tutorial

WinPatrol:

• Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

Ewido Guard:

• Open Ewido by double-clicking the orange icon in the system tray.
• In the 'Your Computer's Securitysection, toggle the Ewido Guard Resident Shield 'off' by clicking Change state which will then change the protection status to 'inactive'.
• When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

---------------------------------------------------------------------

Reboot into Safe Mode.

---------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

StripSaver2

---------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries:

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Delete the following file and folder:

C:\Documents and Settings\HP_Owner\My Documents\My Downloads\ activate_crack.exe
C:\Program Files\ StripSaver2

---------------------------------------------------------------------

Run the ISTBar removal tool.

---------------------------------------------------------------------

Now, please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

---------------------------------------------------------------------

Reboot into Normal Mode.

---------------------------------------------------------------------

Run another online scan at Panda and save the results.

---------------------------------------------------------------------

Extract the contents of the fl.zip you downloaded earlier to your desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

Please include the following in your next reply:

Panda results
find lop.txt
New HijackThis log

[ZLRAC]

Okay, here goes...

Panda results
Incident Status Location

Adware:adware/oemji Not disinfected Windows Registry
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/CramToolbar Not disinfected C:\RECYCLER\S-1-5-21-3929139207-2745007921-385688630-1009\Dc16.exe[untitled1.dll]

find lop.txt
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\All Users\Application Data

05/04/2006 07:54 PM <DIR> Adobe
12/28/2005 12:52 AM <DIR> Apple Computer
07/13/2006 08:00 AM <DIR> avg7
11/08/2005 01:29 AM <DIR> Grisoft
06/13/2005 08:06 PM <DIR> Hewlett-Packard
06/13/2005 07:18 PM 1,886 hpzinstall.log
06/13/2005 07:22 PM <DIR> InstallShield
11/07/2005 10:44 AM <DIR> QuickTime
06/13/2005 06:54 PM <DIR> SBSI
07/14/2006 09:29 PM <DIR> Spybot - Search & Destroy
08/20/2005 01:16 PM <DIR> Symantec
04/23/2006 11:02 PM <DIR> Tenebril
10/09/2005 04:55 PM <DIR> Trymedia
11/22/2005 09:17 PM <DIR> Viewpoint
08/18/2005 01:03 AM <DIR> Windows Genuine Advantage
1 File(s) 1,886 bytes
14 Dir(s) 68,552,278,016 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\HP_Owner\Application Data

05/03/2006 11:59 PM <DIR> Adobe
05/04/2006 07:57 PM <DIR> AdobeUM
08/30/2005 12:13 AM <DIR> Aim
03/08/2006 01:07 AM <DIR> Apple Computer
11/08/2005 01:29 AM <DIR> AVG7
04/10/2006 12:03 AM <DIR> Desktop Sidebar
06/21/2006 09:00 PM <DIR> FrostWire
04/28/2006 10:23 PM <DIR> Google
09/08/2005 12:34 AM <DIR> Help
01/27/2005 07:53 PM <DIR> Identities
06/13/2005 07:54 PM <DIR> InterMute
08/14/2005 10:35 PM <DIR> InterVideo
08/23/2005 11:54 PM <DIR> Lavasoft
09/12/2005 08:24 PM <DIR> Leadertech
08/18/2005 12:09 AM <DIR> Macromedia
09/22/2005 02:20 AM <DIR> Morpheus
08/18/2005 11:13 PM <DIR> Mozilla
08/18/2005 03:18 AM <DIR> Real
06/13/2005 07:48 PM <DIR> SampleView
07/14/2006 10:35 PM <DIR> SlipStream
09/12/2005 08:25 PM <DIR> Sonic
09/06/2005 09:57 PM <DIR> Sun
06/13/2005 07:57 PM <DIR> Symantec
09/28/2005 11:34 PM <DIR> Talkback
09/06/2005 06:11 AM <DIR> Template
04/23/2006 11:13 PM <DIR> Tenebril
06/21/2006 07:23 PM <DIR> Thunderbird
03/07/2006 01:33 AM <DIR> WinPatrol
09/06/2005 06:11 AM 0 wklnhst.dat
03/28/2006 04:41 PM <DIR> wsInspector
04/29/2006 01:01 AM <DIR> ZipGenius
1 File(s) 0 bytes
30 Dir(s) 68,552,278,016 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\Default User\Application Data

06/13/2005 01:47 PM <DIR> .
06/13/2005 01:47 PM <DIR> ..
01/26/2005 04:46 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 68,552,278,016 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\NetworkService\Application Data

New HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 10:51:17 PM, on 7/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mightyfax\MFNTCTL.EXE
C:\Program Files\ONSPEED\onspeedgui.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ZipGenius 6\zipgenius.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ZGTemp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com/iyt.dll?status??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Carl's Web Connection
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ONSPEED - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\ONSPEED\TOOLBAND.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\BlueMouse\PERFECT SERIES\MULTI-DIRECTION OPTICAL MOUSE\1.4\MOUSE32A.EXE
O4 - HKLM\..\Run: [keepitup] C:\Program Files\KEEPITUP!\keepitup.exe
O4 - HKLM\..\Run: [CleanDisk] C:\Yenicag\CleanDisk\clean.bat
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: TempCleaner.lnk = C:\Program Files\TempCleaner\TempCleaner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30967180-DD4B-4F87-B792-BD709427AEEC}: NameServer = 64.136.173.8 64.136.164.66
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Let me also say that I was unable to delete stripsaver2 through 'delete programs' since it wasn't listed. I did however delete all instances of it from my computer.

Where to from here?

[Ried]

Hi,

We're just about through here, but I'd like to double check something with you if I may. Did you unzip and extract the contents of the fl.zip to your desktop before running it?

[ZLRAC]

No. It's in C:\DOWNLOADS

[Ried]

I thought perhaps that may be what happened as the log didn't look complete.

Double click in the fl.zip to open it. In the panel on your left, click on 'Extract all contents', and extract it to your desktop. Now within that folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

[ZLRAC]

Okay, I did that, here it is...

Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\All Users\Application Data

05/04/2006 07:54 PM <DIR> Adobe
12/28/2005 12:52 AM <DIR> Apple Computer
07/15/2006 08:00 AM <DIR> avg7
11/08/2005 01:29 AM <DIR> Grisoft
06/13/2005 08:06 PM <DIR> Hewlett-Packard
06/13/2005 07:18 PM 1,886 hpzinstall.log
06/13/2005 07:22 PM <DIR> InstallShield
11/07/2005 10:44 AM <DIR> QuickTime
06/13/2005 06:54 PM <DIR> SBSI
07/15/2006 06:41 AM <DIR> Spybot - Search & Destroy
08/20/2005 01:16 PM <DIR> Symantec
04/23/2006 11:02 PM <DIR> Tenebril
10/09/2005 04:55 PM <DIR> Trymedia
11/22/2005 09:17 PM <DIR> Viewpoint
08/18/2005 01:03 AM <DIR> Windows Genuine Advantage
1 File(s) 1,886 bytes
14 Dir(s) 68,514,758,656 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\HP_Owner\Application Data

05/03/2006 11:59 PM <DIR> Adobe
05/04/2006 07:57 PM <DIR> AdobeUM
08/30/2005 12:13 AM <DIR> Aim
03/08/2006 01:07 AM <DIR> Apple Computer
11/08/2005 01:29 AM <DIR> AVG7
04/10/2006 12:03 AM <DIR> Desktop Sidebar
06/21/2006 09:00 PM <DIR> FrostWire
04/28/2006 10:23 PM <DIR> Google
09/08/2005 12:34 AM <DIR> Help
01/27/2005 07:53 PM <DIR> Identities
06/13/2005 07:54 PM <DIR> InterMute
08/14/2005 10:35 PM <DIR> InterVideo
08/23/2005 11:54 PM <DIR> Lavasoft
09/12/2005 08:24 PM <DIR> Leadertech
08/18/2005 12:09 AM <DIR> Macromedia
09/22/2005 02:20 AM <DIR> Morpheus
08/18/2005 11:13 PM <DIR> Mozilla
08/18/2005 03:18 AM <DIR> Real
06/13/2005 07:48 PM <DIR> SampleView
07/15/2006 12:08 PM <DIR> SlipStream
09/12/2005 08:25 PM <DIR> Sonic
09/06/2005 09:57 PM <DIR> Sun
06/13/2005 07:57 PM <DIR> Symantec
09/28/2005 11:34 PM <DIR> Talkback
09/06/2005 06:11 AM <DIR> Template
04/23/2006 11:13 PM <DIR> Tenebril
06/21/2006 07:23 PM <DIR> Thunderbird
03/07/2006 01:33 AM <DIR> WinPatrol
09/06/2005 06:11 AM 0 wklnhst.dat
03/28/2006 04:41 PM <DIR> wsInspector
04/29/2006 01:01 AM <DIR> ZipGenius
1 File(s) 0 bytes
30 Dir(s) 68,514,758,656 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\Default User\Application Data

06/13/2005 01:47 PM <DIR> .
06/13/2005 01:47 PM <DIR> ..
01/26/2005 04:46 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 68,514,758,656 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is HP_PAVILION
Volume Serial Number is 1CC6-0643

Directory of C:\Documents and Settings\NetworkService\Application Data

[Ried]

Hi ZLRAC,

One last item.

Viewpoint/Viewpoint Manager Is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the authors and we recommend removing it.

Uninstall anything Viewpoint via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist.

**If it resists uninstall, boot into Safe Mode to uninstall.

---------------------------------

Delete the folder:

C:\Program Files\Viewpoint


Is your screensaver working properly now?

[ZLRAC]

Found viewpoint in C:\Program Files\AIM\Sysfiles, so I'm deleting it from there too! I'll let you know about my screensaver once I reboot.

[ZLRAC]

Aaarrgh! The screensaver still isn't fixed. It changed back to 'none' again!

What now?

[Ried]

We'll do another check to make sure nothing is lurking.

1. Download combofix from one of these locations:
   • http://www.techsupportforum.com/sectools/combofix.exe
   • http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[ZLRAC]

I did it twice cause I think the first time Spybot res. or Spycatcher stopped something. Here's the 1st and second logs...

Start Time= Sat 07/15/2006 18:15:24.93
Running from: C:\Downloads

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-09 0232 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-02 00:26:24 ( .D... ) "C:\Program Files\Blubster"
2006-05-20 15:15:48 ( .D... ) "C:\Program Files\eMule"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-01 22:27:16 15360 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-04-25 21:28:50 29184 ( A.... ) "C:\WINDOWS\system32\sstunst2.exe"
2006-04-25 21:28:46 225280 ( A.... ) "C:\WINDOWS\FSScrCtl.exe"
2006-04-25 21:28:46 25600 ( A.... ) "C:\WINDOWS\QStart.exe"

Rootkit driver pe386 is present. A rootkit scan is required

Rootkit driver msguard is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-15 16:16 400,512 C:\WINDOWS\scorpionking_ssaver_pc.scr
2006-07-15 16:16 40,960 C:\WINDOWS\scorpionking_ssaver_pc.dll
2006-07-15 16:16 1,104,649 C:\WINDOWS\scorpionking_ssaver_pc.exe
2006-07-14 21:49 1,601,753,088 C:\hiberfil.sys
2006-07-13 02:22 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-13 02:22 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-13 01:30 1,966,080,000 C:\pagefile.sys
2006-07-01 15:01 117,760 C:\WINDOWS\system32\xmllite.dll
2006-06-23 09:28 5,512,704 C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47,616 C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454,144 C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 179,200 C:\WINDOWS\system32\ieui.dll
2006-06-23 05:41 172,544 C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:30 11,776 C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55,296 C:\WINDOWS\system32\icardie.dll
2006-06-23 05:27 251,392 C:\WINDOWS\system32\iertutil.dll
2006-06-23 04:46 377,856 C:\WINDOWS\system32\ieapfltr.dll
2006-06-19 15:18 23,552 C:\WINDOWS\system32\idndl.dll
2006-06-19 15:18 20,480 C:\WINDOWS\system32\normaliz.dll
2006-06-15 17:04 49,250 C:\WINDOWS\system32\javaw.exe
2006-06-15 17:04 49,248 C:\WINDOWS\system32\java.exe
2006-06-15 17:04 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-06 00:17 33,533 C:\WINDOWS\system32\CoreVorbis-uninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"BootSkin Startup Jobs"="\"C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"LWBMOUSE"="C:\\Program Files\\BlueMouse\\PERFECT SERIES\\MULTI-DIRECTION OPTICAL MOUSE\\1.4\\MOUSE32A.EXE"
"keepitup"="C:\\Program Files\\KEEPITUP!\\keepitup.exe"
"CleanDisk"="C:\\Yenicag\\CleanDisk\\clean.bat"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgcc.exe /STARTUP"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SlipStream"="\"C:\\Program Files\\ONSPEED\\onspeedcore.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"WinPatrol"="C:\\Program Files\\WinPatrol\\winpatrol.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"PCPitstop Optimize Registration Reminder"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"VideoraiPodConverter"="C:\\Program Files\\VideoraiPodConverter\\VideoraConverter.exe -t"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"
"FreeRAM XP"="\"C:\\Program Files\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=dword:00000001
"NoSharedDocuments"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates from HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates from HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\309731\\Program\\UPDATE~1.EXE -startup"
"item"="Updates from HP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
"path"="C:\\Documents and Settings\\HP_Owner\\Start Menu\\Programs\\Startup\\HP Organize.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Organize.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\HPORGA~1\\bin\\DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
"item"="HP Organize"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 07/15/2006 18:20:17.43
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-15.181524.txt

and the second...

Start Time= Sat 07/15/2006 18:23:53.53
Running from: C:\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-09 0232 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-02 00:26:24 ( .D... ) "C:\Program Files\Blubster"
2006-05-20 15:15:48 ( .D... ) "C:\Program Files\eMule"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-01 22:27:16 15360 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-04-25 21:28:50 29184 ( A.... ) "C:\WINDOWS\system32\sstunst2.exe"
2006-04-25 21:28:46 225280 ( A.... ) "C:\WINDOWS\FSScrCtl.exe"
2006-04-25 21:28:46 25600 ( A.... ) "C:\WINDOWS\QStart.exe"

Rootkit driver pe386 is present. A rootkit scan is required

Rootkit driver msguard is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-15 16:16 400,512 C:\WINDOWS\scorpionking_ssaver_pc.scr
2006-07-15 16:16 40,960 C:\WINDOWS\scorpionking_ssaver_pc.dll
2006-07-15 16:16 1,104,649 C:\WINDOWS\scorpionking_ssaver_pc.exe
2006-07-14 21:49 1,601,753,088 C:\hiberfil.sys
2006-07-13 02:22 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-13 02:22 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-13 01:30 1,966,080,000 C:\pagefile.sys
2006-07-01 15:01 117,760 C:\WINDOWS\system32\xmllite.dll
2006-06-23 09:28 5,512,704 C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47,616 C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454,144 C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 179,200 C:\WINDOWS\system32\ieui.dll
2006-06-23 05:41 172,544 C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:30 11,776 C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55,296 C:\WINDOWS\system32\icardie.dll
2006-06-23 05:27 251,392 C:\WINDOWS\system32\iertutil.dll
2006-06-23 04:46 377,856 C:\WINDOWS\system32\ieapfltr.dll
2006-06-19 15:18 23,552 C:\WINDOWS\system32\idndl.dll
2006-06-19 15:18 20,480 C:\WINDOWS\system32\normaliz.dll
2006-06-15 17:04 49,250 C:\WINDOWS\system32\javaw.exe
2006-06-15 17:04 49,248 C:\WINDOWS\system32\java.exe
2006-06-15 17:04 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-06 00:17 33,533 C:\WINDOWS\system32\CoreVorbis-uninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"BootSkin Startup Jobs"="\"C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"LWBMOUSE"="C:\\Program Files\\BlueMouse\\PERFECT SERIES\\MULTI-DIRECTION OPTICAL MOUSE\\1.4\\MOUSE32A.EXE"
"keepitup"="C:\\Program Files\\KEEPITUP!\\keepitup.exe"
"CleanDisk"="C:\\Yenicag\\CleanDisk\\clean.bat"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgcc.exe /STARTUP"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SlipStream"="\"C:\\Program Files\\ONSPEED\\onspeedcore.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"PCPitstop Optimize Registration Reminder"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"
"FreeRAM XP"="\"C:\\Program Files\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=dword:00000001
"NoSharedDocuments"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates from HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates from HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\309731\\Program\\UPDATE~1.EXE -startup"
"item"="Updates from HP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
"path"="C:\\Documents and Settings\\HP_Owner\\Start Menu\\Programs\\Startup\\HP Organize.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Organize.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\HPORGA~1\\bin\\DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
"item"="HP Organize"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 07/15/2006 18:24:59.15
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-15.181524.txt
ComboFix.2006-07-15.182353.txt

[Ried]

Hi,

I'm not seeing anything in that log.

Quote:

but if I pick a screensaver, the next time I turn my computer on, it defaults back to (none.) How do I get it to stop doing this? I think a screensaver management type program may have caused this at some point but I'm not sure which one.

Which programs do you have installed that would be involved in this?

[ZLRAC]

That's what I'd like to know! Maybe that's not it, maybe it something else. Some default setting in the registry maybe? Not really my area of expertise. My concern, other than it being a nuisance, is that if I leave my computer on for a while with out a screensaver and the monitor is on there is a chance of 'burn-in.' Besides, I want it to work properly.

[Ried]

Nor is it my area of expertise. My suggestion is for you to post this problem in the Windows XP section of this Forum and let the experts there help you out. Do let them know you've been cleared in the HijackThis forum.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.