zetamainhosting, taking over my computer

lisa0477 · 09-04-2006, 12:51 PM

Quick review of what I have done.

Open internet explorer and ztamainhosting is on my home page, cannot change this. Has porn pictures on it.

I ran Panda it found nothing.

I ran etrust pest control, it found dlsearchbar I believe it was called, I deleted it. I tried to find it manually but could not, it was in the Hkey files and I am not sure where those are I have seen them and of course can't remember.

I ran housecall and it found a ton of things, it deleted them then told me to reboot and I did and it said it got rid of the rest, however I am still having the same problem.

I went through all the steps before posting this and I thought I did it all right, but obviously I didn't. Any help would be appreciated.

I do not know if this is important or not but I was looking on my desktop and saw this Registrar registry manager and it has all those H-key things on it. It says it is the Lite/Trial edition. Not sure what this is but it has those same green cube blocks just like the viruses found on the house call scan.

Okay here is my highjack scan

Logfile of HijackThis v1.99.1
Scan saved at 1:30:12 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestdailystuff.info/?Enter=We...%20www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {59B2AEF9-416F-6EA9-4DFC-3ADD559F552F} - C:\WINDOWS\nzfgduio.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5316EA3C-BE2F-23CB-1240-149E4DD88F79} - C:\WINDOWS\nzfgduio.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {97C80DFE-7747-8D58-9D68-000C9815E6B2} - C:\WINDOWS\nzfgduio.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.af.mil
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/z...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

lisa0477 · 09-05-2006, 01:21 PM

"bump"

**Deckard** · 09-06-2006, 11:59 PM

Hello and welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

**Deckard** · 09-07-2006, 08:58 AM

Hello lisa0477,

We should be able to get you cleaned up. Did Panda produce a log at all, or did it find absolutely nothing? What about Ewido? If you ran a previous scan with Ewido, please include that log with your next post. Previous logs should be in

C:\Program Files\ewido anti-spyware 4.0\Reports

Also include any logs from the other scanners you ran. They'll help give me insight into what your computer had (or still has).

These two lines may be keeping you from changing your home page:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

SpyBot Search & Destroy may have set these restrictions for you. Do you remember if you had SpyBot lock IE from making certain changes? If you can't remember, we'll fix them after your next reply.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Antivirus Required
I notice that you do not appear to have an active antivirus program. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Here are two very good free antivirus products which are available:

Avast!
AVG

Please install one of these now. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestdailystuff.info/?Enter=Website%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {59B2AEF9-416F-6EA9-4DFC-3ADD559F552F} - C:\WINDOWS\nzfgduio.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5316EA3C-BE2F-23CB-1240-149E4DD88F79} - C:\WINDOWS\nzfgduio.dll (file missing)
O3 - Toolbar: Search - {97C80DFE-7747-8D58-9D68-000C9815E6B2} - C:\WINDOWS\nzfgduio.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Filter: text/html - (no CLSID) - (no file)

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

Generate An Uninstall List

Open HijackThis.
Click on the "Configure" button on the bottom right.
Click on the tab "Misc Tools".
Click on the Box that says "Open Uninstall Manager".
Click on the button "Save list"

Please save a copy and paste the contents with your next reply.

With Your Next Post...
Please paste the following with your next reply (in this order please):

Any logfiles (eTrust, Housecall, Ewido, etc.) from the scans you've already taken,
Kaspersky Scan report,
your uninstall list,
a new HiJackThis log taken after Kaspersky finishes.

lisa0477 · 09-07-2006, 02:31 PM

Ewido

C:\Documents and Settings\Jeff\Cookies\jeff@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

Kaspersky

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 60808
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:37:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1A1A8B93-C87C-4C86-A5BB-CAFC1F1B8159}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd1917.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Highjackthis

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
AVG Free Edition
CA eTrust PestPatrol
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Decrypter 2.9.7.9
ewido anti-spyware 4.0
EZ-DUB
EZ-DUB Finder
FaxTools
GdiplusUpgrade
Google Toolbar for Internet Explorer
Hello (remove only)
HijackThis 1.99.1
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
ICS Viewer 6.0
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
K-Lite Codec Pack 2.41 Full
Lexmark X1100 Series
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft ActiveX Control Pad
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Picture It! Photo 2001
Microsoft Web Publishing Wizard 1.52
mIRC
MSN
MSN Music Assistant
Nero 7 Ultra Edition
OfficeReady Professional 3.0 Sampler
PamperedPartner® 13.2
Panda ActiveScan
Picasa 2
Print Shop Photo Projects
Quicklinks
QuickTime
RealOne Player
Registrar Registry Manager 4.01
Registrar Registry Manager 4.01 (Lite/Trial Edition)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shizmoo Web Games (Uproar)
Shockwave
SmartFTP
Turbo Torrent 1.1.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver

final highjack
Logfile of HijackThis v1.99.1
Scan saved at 15:29, on 06-09-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.af.mil
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Hope this works! Thanks for your time.

**Deckard** · 09-08-2006, 12:36 AM

Awesome. You look clean. Since you don't have Symantec on your system any longer, you can safely remove "LiveUpdate 2.6 (Symantec Corporation)" from your Add/Remove Programs in the Control Panel.

Any more issues? If not, you should be good to go but we still have a few items we'd like to address.

Reset System Restore

Go to Start>Run, type SYSDM.CPL and press Enter.
Select the System Restore tab.
Check "Turn off System Restore on all drives" and click Apply.
Now uncheck the same option and click OK.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Enable Windows Auto Update:

Go to Start>Run, type WUAUCPL.CPL and press Enter.
Make sure "Keep my computer up to date" is checked.
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Update Java
We need to update your Java as it is out of date. Older versions can be a security risk as malware writers have been known exploit the weaknesses the code.

Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java (Java 2 Runtime Environment SE and/or J2SE Runtime Environment) and Uninstall/Remove them.
Download and install the newest version from Sun.
After the reboot, go back into the Control Panel and double-click the Java icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL three checked:
- Downloaded Applets
- Downloaded Applications
- Other Files
Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
Miranda-IM - another Instant Messenger client with multiple IM capabilities.
Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

lisa0477 · 09-08-2006, 07:20 AM

I have a couple of questions before you leave me if you do not mind. I just finished all that you wrote last except for adding a few things. I want to make sure I got this right so hang in there. I have on my computer

Ewido-which I believe since I have not paid for this it is mainly a scanning tool.
Etrust pest control-this says it is protecting my computer but it is not, I do use it for scans though becasue it picks up things the other ones didn't.

I downloaded AVG yesterday, I am hoping I did it right and it is protecting my computer, but since I have had it (here comes question) I have scanned for viruses with Ewido and it has found a ton. Most of them are in cookies and a few in my documents. I quarintine and delete them. Does AVG have a scan tool, or is it suppose to be checking itself? I do see on my emails now that it shows it checked them.

Next question is this, say I pick these following to download,
AVG (have)
sygate p firewall
spyware guard

and spywareblaster
IE-spyad (you said I could have more than one of these right?)

Now having all the above they will not counter act eachother? I do see you put them under different sections, I just want to be sure I am getting it right. I am so tired of these viruses.
My last Question is this--
My windows firewall was off, because it sometimes will not let me on the internet at all. It is on and I can be on the internet at the moment but if I download one of the others will it matter if the windows one is on or off?

Oh forgot will all these downloads together help me stop getting things in my cookies (lol)? I use the ATF cleanup so I constantly dump it all. As soon as I get stuff cleaned these same ones are back on there.

Okay, after this I will leave you alone!! You dear paitent person!!

lisa0477 · 09-08-2006, 02:14 PM

Okay just wanted to let you know what I did, and I am so excited. Okay,
I did AVG, Sygate P firewall, spyware guard and IE spyad and I am using firefox.
Holy crap what a difference this has made. It is hauling a*s. I am so greatful for this. You rock! Can you just double check my questions aove to make sure I have not done anything wrong. THANKS sooooooooo much!

**Deckard** · 09-08-2006, 08:30 PM

It's amazing what a difference just a few programs can make, huh?

Sorry it took me all day to get back to your questions, but here are your answers.

Quote:

I have on my computer

Ewido-which I believe since I have not paid for this it is mainly a scanning tool.
Etrust pest control-this says it is protecting my computer but it is not, I do use it for scans though becasue it picks up things the other ones didn't.

You're welcome to keep both installed. These are both malware/spyware scanners and shouldn't interfere with each other. I believe after a period of time they lose some of their functionality, but I believe you can still keep them updated and do a manual scan with them.

Quote:

I downloaded AVG yesterday, I am hoping I did it right and it is protecting my computer, but since I have had it (here comes question) I have scanned for viruses with Ewido and it has found a ton. Most of them are in cookies and a few in my documents. I quarintine and delete them.

Good, good.

Quote:

Does AVG have a scan tool, or is it suppose to be checking itself? I do see on my emails now that it shows it checked them.

Yes, to both questions. It should check for updates and scan your computer every day or so, but you can manually scan at any time by double-clicking the AVG icon in your taskbar and select "Test Center" on the left. This will pop up another window with an option to scan your computer.

AVG also does real-time scanning when you open files.

Quote:

Next question is this, say I pick these following to download,
AVG (have)
sygate p firewall
spyware guard
and spywareblaster
IE-spyad (you said I could have more than one of these right?)

Now having all the above they will not counter act eachother? I do see you put them under different sections, I just want to be sure I am getting it right. I am so tired of these viruses.

Yep - all those are compatible with each other and will protect you in different ways. Spyware Guard is a real-time protection program, where Spyware Blaster and IE-Spyad offer passive protection. Spyware Blaster sets kill bits in your registry so that certain known malware cannot run on your computer. If you don't register Spyware Blaster, you will need to manually update every other week or so.

IE-SpyAd puts known malicious websites into your Restricted Sites list, where they can't run any code. This is sort-of a one-shot program with no update feature, but re-downloading it periodically and reinstalling it's protection will add more entries.

These passive programs do not slow down your computer in any way because they are not running. Now that you have multiple layers of protection, any virus or malware that tries to get on your computer at least has to fight.

Quote:

My windows firewall was off, because it sometimes will not let me on the internet at all. It is on and I can be on the internet at the moment but if I download one of the others will it matter if the windows one is on or off?

Since you say you have Sygate's firewall, you can leave Windows Firewall turned off. Having multiple firewalls running can keep you from getting on the Internet. Microsoft's firewall is barely adequate for what it does.

Quote:

Oh forgot will all these downloads together help me stop getting things in my cookies (lol)? I use the ATF cleanup so I constantly dump it all. As soon as I get stuff cleaned these same ones are back on there.

It should. If you download and install the MVPS Hosts File (see directions in my previous post), it will block most known ad sites. It's passive protection so it shouldn't negatively impact your computer. Plus, it works for any web browser you use.

Quote:

Okay, after this I will leave you alone!! You dear paitent person!!

You had some very good questions. I hope I was able to answer them for you. Take care and be safe!

lisa0477 · 09-08-2006, 10:21 PM

I know I don't stop... sorry. I promise to try and make this my last.

my firewall said I had 3 highjackers, so I went to read everything because I wasn't sure if it meant it bloked them or detected them. From what I read it does not delete them. So I ran etrust scan and it found a trojan, I am assuming it is off. I went to the actual file and deleted it. Would you mind if I did one more set of logs for you so you can give me the final boot? Thanks so much. I am going to go ahead and post them. Can we donate to you guys on here? I really appreciate the help.

On this firewall I have now, it keeps showing this one IP trying to get in constantly. It is just crazy what you can do with a computer.

Ok here are the logs thanks again you are my internet angel. :3angel3:

first this was the file at etrust- Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\phishingfix.biz"
it said it was this- Trojan.RegFish.A

well I would like to show you a highjack log now but for some reason it says it is getting stuck on 015 and it freezes.

Little worried now.

sorry I am such a pest

lisa0477 · 09-08-2006, 10:24 PM

Jeff - 06-09-08 22:52:27.84
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Jeff\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-08 to 2006-09-08 ))))))))))))))))))))))))))))))))))

2006-09-08 12:21 21,312 --a------ C:\WINDOWS\choice.exe
2006-09-08 08:29 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2006-09-07 23:58 66,484 --a------ C:\WINDOWS\system32\PGPlspRollback.reg
2006-08-23 12:38 147,495 --a------ C:\WINDOWS\system32\rmocx.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-08 22:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-08 14:29 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Mozilla
2006-09-08 12:54 -------- d-------- C:\Program Files\SpywareGuard
2006-09-08 12:54 -------- d-------- C:\Documents and Settings\Jeff\Application Data\SiteAdvisor
2006-09-08 12:53 -------- d-------- C:\Program Files\SiteAdvisor
2006-09-08 08:29 -------- d-------- C:\Program Files\Sygate
2006-09-08 08:28 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-08 08:28 -------- d-------- C:\Program Files\Common Files
2006-09-08 07:57 -------- d-------- C:\Program Files\Google
2006-09-08 07:56 -------- d-------- C:\Program Files\Java
2006-09-08 07:55 -------- d-------- C:\Program Files\Common Files\Java
2006-09-08 07:42 -------- d-------- C:\Program Files\Symantec
2006-09-08 07:42 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-08 00:01 -------- d-------- C:\Documents and Settings\Jeff\Application Data\PGP Corporation
2006-09-07 23:58 -------- d-------- C:\Program Files\Common Files\PGP Corporation
2006-09-07 12:37 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-07 12:37 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-07 12:37 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-07 12:37 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-07 12:37 -------- d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2006-09-07 12:36 -------- d-------- C:\Program Files\Grisoft
2006-09-07 12:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-05 18:28 -------- d-------- C:\Program Files\Lexmark X1100 Series
2006-09-04 12:27 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-04 12:27 -------- d-------- C:\Program Files\Internet Explorer
2006-08-24 06:16 -------- d-------- C:\Documents and Settings\Jeff\Application Data\uTorrent
2006-08-23 12:37 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Real
2006-08-23 12:20 723 --a------ C:\Program Files\INSTALL.LOG
2006-08-23 12:20 -------- d-------- C:\Program Files\Real
2006-08-23 12:20 -------- d-------- C:\Program Files\Common Files\xing shared
2006-08-23 12:20 -------- d-------- C:\Program Files\Common Files\Real
2006-08-23 12:20 -------- d-------- C:\Program Files\aod
2006-08-06 00:46 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-08-06 00:45 -------- d-------- C:\Program Files\Hijackthis
2006-08-06 00:40 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Nova Development
2006-08-06 00:34 -------- d-------- C:\Program Files\Adobe
2006-08-05 17:37 -------- d-------- C:\Program Files\TPS Photo Projects Suite
2006-08-04 21:23 -------- d-------- C:\Program Files\Cox
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 08:28 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2006-07-26 08:24 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-25 15:25 -------- d-------- C:\Program Files\Microsoft Picture It! PhotoPub
2006-07-24 17:56 -------- d-------- C:\Program Files\ewido anti-malware
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 09:45 1038 --a------ C:\Documents and Settings\Jeff\Application Data\AdobeDLM.log
2006-07-17 09:45 0 --a--c--- C:\Documents and Settings\Jeff\Application Data\dm.ini
2006-07-10 11:27 -------- d-------- C:\Program Files\TorrenTopia
2006-06-23 11:33 349 --a------ C:\Documents and Settings\Jeff\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
2006-06-23 11:33 0 --a------ C:\Documents and Settings\Jeff\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"masqform.exe"="C:\\Program Files\\PureEdge\\Viewer 6.0\\masqform.exe -UpdateCurrentUser"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB002\" /M \"Stylus CX3800\""
"HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveAutoRun"=dword:ffffffff

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

Completion time: 06-09-08 22:53:26.75
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Thought maybe this might help?? Don't really know about this one

**Deckard** · 09-09-2006, 02:14 AM

Hello again!

As long as you're still having issues, we'll be here for you. You're welcome to donate if you wish -- there's a link in my signature.

HijackThis will take a little longer to scan your O15s now because you have the extra protection from IE-SpyAd. IE-SpyAd has added all those restricted sites to your registry, and HijackThis has to scan through all of that even though it doesn't end up displaying them. There are thousands of entries from IE-SpyAd, so give it some extra time. It'll finish eventually.

Even with the ComboFix log, I don't see anything obvious. Do you remember what the trojan's name was that you deleted?

Let's run a couple more tools to see if we can find anything. But before that, I noticed you may have P2P software (i.e. TorrenTopia, uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Download SilentRunners
Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts.

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file with a name lie "Startup Programs (COMPUTERNAME) DATE TIME.txt". Post ALL its contents here in your next reply.

Download Blacklight Beta
Download and run Blacklight.

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click Next, and then click on Close.

BlackLight beta should create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log.

Save PestPatrol Logfile
Start eTrust PestPatrol. Click on the Advanced Settings text, the click on Log under the Manage section. Click the Save Log button and save the file to your Desktop. It should be named PestPatrol5Log.csv. You can open this file up in Notepad -- please post it's contents with your next reply.

With Your Next Post...
Please paste the following with your next reply (in this order please):

The contents of the file named similar to Startup Programs (COMPUTERNAME) DATE TIME.txt,
The contents of the Blacklight fsbl-<date-and-time>.log,
The contents of PestPatrol5Log.csv,
The latest Ewido log from C:\Program Files\ewido anti-spyware 4.0\Reports, and
a new HiJackThis log.

lisa0477 · 09-09-2006, 10:02 PM

1.
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [file not found]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"RealPlayer" = ""C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot" ["RealNetworks, Inc."]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"masqform.exe" = "C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser" ["PureEdge Solutions Inc."]
"Lexmark X1100 Series" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" [file not found]
"EPSON Stylus CX3800 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"" [file not found]
"HPHUPD08" = "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" ["Hewlett-Packard"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"NWEReboot" = (empty string)
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"eTrustPPAP" = ""C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"" ["Computer Associates"]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\SiteAdv.dll" ["McAfee, Inc."]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{294B1796-3431-4383-9EC9-88FE1A9D0BA5}" = "SendMailExt Extension"
-> {HKLM...CLSID} = "SendMailExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mail052e.dll" [file not found]
"{CCA60260-A2C9-11D2-BA62-0020188191B2}" = "Registrar Registry Manager SHell Extension"
-> {HKLM...CLSID} = "Registrar Registry Manager SHell Extension"
\InProcServer32\(Default) = "rrShellX.dll" [file not found]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\christmas\DSC00930.jpg"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]

Startup items in "Jeff" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B13B4423-2647-4CFC-A4B3-C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"
-> {HKLM...CLSID} = "IECmdExecute Class"
\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX3800 Series 2KMonitor5A\Driver = "E_FLMACA.DLL" ["SEIKO EPSON CORPORATION"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 137 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 91 seconds.
---------- (total run time: 294 seconds)

2. Blacklight did not produce a log, it said it was clean.

3. ok, the pest control log saves in excel and it won't let me post it on here, I have tried to save it a different way and I can't any suggestions? I would like you to see it.

4.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:25 06-09-07

+ Scan result:

C:\Documents and Settings\Jeff\Cookies\jeff@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

::Report end

5.Logfile of HijackThis v1.99.1
Scan saved at 22:45, on 06-09-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Money 2005\MNYCoreFiles\mnybbsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.af.mil
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Ok I think I did it right, just having trouble with the Pest log.

This below you did not ask for, but it is the log from the firewall showing what highjack things were trying to get in my computer or were detected.

1 09/08/2006 12:17:52 Application Hijacking Information Outgoing TCP www.javacoolsoftware.com [67.43.10.91] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Jeff MOMANDDAD Normal 1 09/08/2006 12:16:48 09/08/2006 12:16:48
2 09/08/2006 12:55:43 Application Hijacking Information Outgoing TCP dss1.siteadvisor.com [216.143.70.105] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\OTI3QJ85\saSetup[1].exe Jeff MOMANDDAD Normal 1 09/08/2006 12:54:41 09/08/2006 12:54:41
3 09/08/2006 20:14:31 Application Hijacking Critical Outgoing None 0.0.0.0 FF-FF-FF-FF-FF-FF 0.0.0.0 00-E0-18-5F-E1-A8 C:\Program Files\Common Files\Real\Update_OB\realsched.exe Jeff MOMANDDAD Normal 1 09/08/2006 20:14:12 09/08/2006 20:14:12
4 09/08/2006 22:31:52 Application Hijacking Information Outgoing TCP guru.grisoft.com [193.86.3.38] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Grisoft\AVG Free\avgwb.dat Jeff MOMANDDAD Normal 1 09/08/2006 22:30:49 09/08/2006 22:30:49
5 09/08/2006 22:33:58 Application Hijacking Information Outgoing TCP www.pestpatrol.com [141.202.248.57] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\CA\eTrust PestPatrol\PestPatrol5.exe Jeff MOMANDDAD Normal 1 09/08/2006 22:32:56 09/08/2006 22:32:56
6 09/08/2006 23:45:23 Application Hijacking Information Outgoing TCP www.safer-networking.org [212.227.253.104] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Documents and Settings\Jeff\Desktop\spybotsd14(2).exe Jeff MOMANDDAD Normal 1 09/08/2006 23:44:19 09/08/2006 23:44:19
7 09/08/2006 23:45:29 Application Hijacking Information Outgoing TCP www.safer-networking.org [212.227.253.104] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Documents and Settings\Jeff\Desktop\spybotsd14(2).exe Jeff MOMANDDAD Normal 1 09/08/2006 23:44:26 09/08/2006 23:44:26
8 09/09/2006 08:23:23 Application Hijacking Critical Outgoing TCP en-us.start.mozilla.com [216.239.51.104] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Jeff MOMANDDAD Normal 1 09/09/2006 08:22:18 09/09/2006 08:22:18
9 09/09/2006 09:07:09 Application Hijacking Information Outgoing TCP www.google.com [64.233.161.99] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Jeff MOMANDDAD Normal 1 09/09/2006 09

04 09/09/2006 09

04
10 09/09/2006 11:30:51 Application Hijacking Information Outgoing TCP guru.grisoft.com [193.86.3.38] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Grisoft\AVG Free\avgamsvr.exe Jeff MOMANDDAD Normal 1 09/09/2006 11:29:45 09/09/2006 11:29:45
11 09/09/2006 11:30:51 Application Hijacking Information Outgoing TCP guru.grisoft.com [193.86.3.36] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Grisoft\AVG Free\avgamsvr.exe Jeff MOMANDDAD Normal 1 09/09/2006 11:29:47 09/09/2006 11:29:47
12 09/09/2006 21:47:23 Application Hijacking Information Outgoing TCP nexus.passport.com [65.54.179.228] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Microsoft Money 2005\MNYCoreFiles\mnybbsvc.exe Jeff MOMANDDAD Normal 1 09/09/2006 21:46:18 09/09/2006 21:46:18
13 09/09/2006 21:47:23 Application Hijacking Information Outgoing TCP nexus.passport.com [65.54.179.228] 00-13-46-15-3A-CC 192.168.0.100 00-E0-18-5F-E1-A8 C:\Program Files\Microsoft Money 2005\MNYCoreFiles\mnybbsvc.exe Jeff MOMANDDAD Normal 1 09/09/2006 21:46:20 09/09/2006 21:46:20

lisa0477 · 09-10-2006, 11:28 AM

I just wanted to let you know that I found sillyDI YQ in hkey_local_machine\software\policies

it was in etrust and I deleted them so hopefully they are really gone. I wish I could show you the log from them I just can't figure out how to post or change it from excel.

lisa0477 · 09-10-2006, 11:30 AM

shoot one more thing I kept forgetting to tell you. I can delete utorrent and the others we don't use them anymore, but I do use myspace and I think that is killing me what do you think?

**Deckard** · 09-10-2006, 12:31 PM

Hi,

Sorry I didn't get back to you last night. My computer started acting up and I shut it down for the night. It seems to be happier now.

I don't see anything in your StartDreck logs, and all those entries in your firewall log are from legitimate programs (SiteAdvisor, PestPatrol, AVG, Google Desktop, Real Player, Microsoft Money). I'm not sure why they say "Hijacking" but they're really not. You may need to tell your firewall that these connections are okay and to not warn you about them.

For the ePest log file that would only open in Excel, next time you can tell the file to open in another application. Right-click on the icon and select "Open With" and either select Notepad from the menu or choose Notepad under the "Choose Program..." option. No need to do it now; I'm fairly convinced that you're fine.

I'm glad you found the registry key. That may have driven me nuts for awhile.

And regarding MySpace, it's fairly safe. There has been some talk recently that some malware is spreading through MySpace ads every so often, but you should be protected from it as long as you stay up to date with your patches.

Be safe!

lisa0477 · 09-11-2006, 02:57 PM

I just now got a chance to get back to you. I think I should be fine. I am getting a little more use to figuring out what to look out for. Thanks for your help. CAn I ask you something that has been driving me crazy for this past week. My freaking little clock on my computer is in military time I have tried and tried to change it and it won't stay norma

l, same with the date. PLease tell me what to do. I am about to blow it up....

**Deckard** · 09-11-2006, 11:28 PM

LOL. I'm going to answer this last question then have the thread closed. You're clean and OS questions should really be posted in the Windows forum. However, this one is easy.

Go to Start->Run, type in intl.cpl and hit OK. In the dialog that pops up, click on the Customize button. Select the Time tab and for the time format, select hh:mm:ss tt. Click OK.

Then click the Date tab and adjust your date to whatever suits you. If you press Apply before OK, you can see what the new format will be in the "sample" text boxes.

Click OK several times to get out of the dialog box and you should be set!

09-04-2006, 12:51 PM	#1 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	zetamainhosting, taking over my computer Quick review of what I have done. Open internet explorer and ztamainhosting is on my home page, cannot change this. Has porn pictures on it. I ran Panda it found nothing. I ran etrust pest control, it found dlsearchbar I believe it was called, I deleted it. I tried to find it manually but could not, it was in the Hkey files and I am not sure where those are I have seen them and of course can't remember. I ran housecall and it found a ton of things, it deleted them then told me to reboot and I did and it said it got rid of the rest, however I am still having the same problem. I went through all the steps before posting this and I thought I did it all right, but obviously I didn't. Any help would be appreciated. I do not know if this is important or not but I was looking on my desktop and saw this Registrar registry manager and it has all those H-key things on it. It says it is the Lite/Trial edition. Not sure what this is but it has those same green cube blocks just like the viruses found on the house call scan. Okay here is my highjack scan Logfile of HijackThis v1.99.1 Scan saved at 1:30:12 PM, on 9/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Jeff\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestdailystuff.info/?Enter=We...%20www.msn.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {59B2AEF9-416F-6EA9-4DFC-3ADD559F552F} - C:\WINDOWS\nzfgduio.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5316EA3C-BE2F-23CB-1240-149E4DD88F79} - C:\WINDOWS\nzfgduio.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Search - {97C80DFE-7747-8D58-9D68-000C9815E6B2} - C:\WINDOWS\nzfgduio.dll (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800" O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.af.mil O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/z...ploader_v5.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

09-05-2006, 01:21 PM	#2 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	Bump "bump"

09-06-2006, 11:59 PM	#3 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello and welcome to TSF! I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

09-07-2006, 08:58 AM	#4 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello lisa0477, We should be able to get you cleaned up. Did Panda produce a log at all, or did it find absolutely nothing? What about Ewido? If you ran a previous scan with Ewido, please include that log with your next post. Previous logs should be in C:\Program Files\ewido anti-spyware 4.0\Reports Also include any logs from the other scanners you ran. They'll help give me insight into what your computer had (or still has). These two lines may be keeping you from changing your home page: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present SpyBot Search & Destroy may have set these restrictions for you. Do you remember if you had SpyBot lock IE from making certain changes? If you can't remember, we'll fix them after your next reply. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Antivirus Required I notice that you do not appear to have an active antivirus program. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Here are two very good free antivirus products which are available: Avast! AVG Please install one of these now. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestdailystuff.info/?Enter=Website%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20www.msn.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {59B2AEF9-416F-6EA9-4DFC-3ADD559F552F} - C:\WINDOWS\nzfgduio.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {5316EA3C-BE2F-23CB-1240-149E4DD88F79} - C:\WINDOWS\nzfgduio.dll (file missing) O3 - Toolbar: Search - {97C80DFE-7747-8D58-9D68-000C9815E6B2} - C:\WINDOWS\nzfgduio.dll (file missing) O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab O18 - Filter: text/html - (no CLSID) - (no file) Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. Generate An Uninstall List Open HijackThis. Click on the "Configure" button on the bottom right. Click on the tab "Misc Tools". Click on the Box that says "Open Uninstall Manager". Click on the button "Save list" Please save a copy and paste the contents with your next reply. With Your Next Post... Please paste the following with your next reply (in this order please): Any logfiles (eTrust, Housecall, Ewido, etc.) from the scans you've already taken, Kaspersky Scan report, your uninstall list, a new HiJackThis log taken after Kaspersky finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

09-08-2006, 12:36 AM	#6 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Awesome. You look clean. Since you don't have Symantec on your system any longer, you can safely remove "LiveUpdate 2.6 (Symantec Corporation)" from your Add/Remove Programs in the Control Panel. Any more issues? If not, you should be good to go but we still have a few items we'd like to address. Reset System Restore Go to Start>Run, type SYSDM.CPL and press Enter. Select the System Restore tab. Check "Turn off System Restore on all drives" and click Apply. Now uncheck the same option and click OK. Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection. Enable Windows Auto Update: Go to Start>Run, type WUAUCPL.CPL and press Enter. Make sure "Keep my computer up to date" is checked. Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Update Java We need to update your Java as it is out of date. Older versions can be a security risk as malware writers have been known exploit the weaknesses the code. Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs. Search in the list for all previous installed versions of Java (Java 2 Runtime Environment SE and/or J2SE Runtime Environment) and Uninstall/Remove them. Download and install the newest version from Sun. After the reboot, go back into the Control Panel and double-click the Java icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL three checked: Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Malware Prevention This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them. Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer". The following is a list of free software we recommend: Antivirus AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one. Avast! AVG AntiVir Firewalls A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Sunbelt Kerio Personal Firewall Outpost Firewall PRO Realtime Malware Prevention Tools These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time. Spyware Guard Spybot Search & Destroy AdAware WinPatrol - with tutorial Passive Malware Prevention Tools These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources. SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates. IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage. MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites. McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox. Alternative Web Browsers Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites. Firefox Opera Alternative Miscellaneous Here are some alternatives that are worth looking into if you use their features: Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.) Miranda-IM - another Instant Messenger client with multiple IM capabilities. Desktop Weather - A taskbar weather program that is free and resource light. Please respond to this thread one more time so we can mark this thread as resolved. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

09-07-2006, 02:31 PM	#5 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	Ewido C:\Documents and Settings\Jeff\Cookies\jeff@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@advertising[2].txt -> TrackingCookie.Advertising : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken. C:\Documents and Settings\Jeff\Cookies\jeff@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken. Kaspersky Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ E:\ F:\ H:\ Scan Statistics: Total number of scanned objects: 60808 Number of viruses found: 1 Number of infected objects: 1 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:37:38 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jeff\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Jeff\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1A1A8B93-C87C-4C86-A5BB-CAFC1F1B8159}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd1917.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Highjackthis ABBYY FineReader 5.0 Sprint Adobe Acrobat 5.0 Adobe Bridge 1.0 Adobe Download Manager 2.0 (Remove Only) Adobe Reader 7.0.8 Adobe Stock Photos 1.0 AVG Free Edition CA eTrust PestPatrol DVD Decrypter (Remove Only) DVD Shrink 3.2 DVDFab Decrypter 2.9.7.9 ewido anti-spyware 4.0 EZ-DUB EZ-DUB Finder FaxTools GdiplusUpgrade Google Toolbar for Internet Explorer Hello (remove only) HijackThis 1.99.1 HP Extended Capabilities 5.3 HP Image Zone 5.3 HP Imaging Device Functions 5.3 HP Photosmart 330,380,420,470,7800,8000,8200 Series HP Software Update HP Solution Center & Imaging Support Tools 5.3 ICS Viewer 6.0 iTunes J2SE Runtime Environment 5.0 Update 2 J2SE Runtime Environment 5.0 Update 6 Kaspersky Online Scanner K-Lite Codec Pack 2.41 Full Lexmark X1100 Series LiveUpdate 2.6 (Symantec Corporation) Macromedia Flash Player 8 Macromedia Shockwave Player Macromedia Shockwave Player Microsoft .NET Framework 1.1 Microsoft ActiveX Control Pad Microsoft Money 2005 Microsoft Office Professional Edition 2003 Microsoft Picture It! Photo 2001 Microsoft Web Publishing Wizard 1.52 mIRC MSN MSN Music Assistant Nero 7 Ultra Edition OfficeReady Professional 3.0 Sampler PamperedPartner® 13.2 Panda ActiveScan Picasa 2 Print Shop Photo Projects Quicklinks QuickTime RealOne Player Registrar Registry Manager 4.01 Registrar Registry Manager 4.01 (Lite/Trial Edition) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Shizmoo Web Games (Uproar) Shockwave SmartFTP Turbo Torrent 1.1.2 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 WinRAR archiver final highjack Logfile of HijackThis v1.99.1 Scan saved at 15:29, on 06-09-07 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jeff\Desktop\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800" O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.af.mil O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe Hope this works! Thanks for your time.

09-08-2006, 07:20 AM	#7 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	just a few questions I have a couple of questions before you leave me if you do not mind. I just finished all that you wrote last except for adding a few things. I want to make sure I got this right so hang in there. I have on my computer Ewido-which I believe since I have not paid for this it is mainly a scanning tool. Etrust pest control-this says it is protecting my computer but it is not, I do use it for scans though becasue it picks up things the other ones didn't. I downloaded AVG yesterday, I am hoping I did it right and it is protecting my computer, but since I have had it (here comes question) I have scanned for viruses with Ewido and it has found a ton. Most of them are in cookies and a few in my documents. I quarintine and delete them. Does AVG have a scan tool, or is it suppose to be checking itself? I do see on my emails now that it shows it checked them. Next question is this, say I pick these following to download, AVG (have) sygate p firewall spyware guard and spywareblaster IE-spyad (you said I could have more than one of these right?) Now having all the above they will not counter act eachother? I do see you put them under different sections, I just want to be sure I am getting it right. I am so tired of these viruses. My last Question is this-- My windows firewall was off, because it sometimes will not let me on the internet at all. It is on and I can be on the internet at the moment but if I download one of the others will it matter if the windows one is on or off? Oh forgot will all these downloads together help me stop getting things in my cookies (lol)? I use the ATF cleanup so I constantly dump it all. As soon as I get stuff cleaned these same ones are back on there. Okay, after this I will leave you alone!! You dear paitent person!!

09-08-2006, 02:14 PM	#8 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	Okay just wanted to let you know what I did, and I am so excited. Okay, I did AVG, Sygate P firewall, spyware guard and IE spyad and I am using firefox. Holy crap what a difference this has made. It is hauling a*s. I am so greatful for this. You rock! Can you just double check my questions aove to make sure I have not done anything wrong. THANKS sooooooooo much!

09-08-2006, 10:21 PM	#10 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	I know I don't stop... sorry. I promise to try and make this my last. my firewall said I had 3 highjackers, so I went to read everything because I wasn't sure if it meant it bloked them or detected them. From what I read it does not delete them. So I ran etrust scan and it found a trojan, I am assuming it is off. I went to the actual file and deleted it. Would you mind if I did one more set of logs for you so you can give me the final boot? Thanks so much. I am going to go ahead and post them. Can we donate to you guys on here? I really appreciate the help. On this firewall I have now, it keeps showing this one IP trying to get in constantly. It is just crazy what you can do with a computer. Ok here are the logs thanks again you are my internet angel. :3angel3: first this was the file at etrust- Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\phishingfix.biz" it said it was this- Trojan.RegFish.A well I would like to show you a highjack log now but for some reason it says it is getting stuck on 015 and it freezes. Little worried now. sorry I am such a pest

09-08-2006, 10:24 PM	#11 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	Jeff - 06-09-08 22:52:27.84 ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Jeff\Desktop Microsoft Windows XP [Version 5.1.2600] ((((((((((((((((((((((((((((((( Files Created from 2006-08-08 to 2006-09-08 )))))))))))))))))))))))))))))))))) 2006-09-08 12:21 21,312 --a------ C:\WINDOWS\choice.exe 2006-09-08 08:29 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll 2006-09-07 23:58 66,484 --a------ C:\WINDOWS\system32\PGPlspRollback.reg 2006-08-23 12:38 147,495 --a------ C:\WINDOWS\system32\rmocx.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-08 22:49 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-08 14:29 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Mozilla 2006-09-08 12:54 -------- d-------- C:\Program Files\SpywareGuard 2006-09-08 12:54 -------- d-------- C:\Documents and Settings\Jeff\Application Data\SiteAdvisor 2006-09-08 12:53 -------- d-------- C:\Program Files\SiteAdvisor 2006-09-08 08:29 -------- d-------- C:\Program Files\Sygate 2006-09-08 08:28 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2006-09-08 08:28 -------- d-------- C:\Program Files\Common Files 2006-09-08 07:57 -------- d-------- C:\Program Files\Google 2006-09-08 07:56 -------- d-------- C:\Program Files\Java 2006-09-08 07:55 -------- d-------- C:\Program Files\Common Files\Java 2006-09-08 07:42 -------- d-------- C:\Program Files\Symantec 2006-09-08 07:42 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-09-08 00:01 -------- d-------- C:\Documents and Settings\Jeff\Application Data\PGP Corporation 2006-09-07 23:58 -------- d-------- C:\Program Files\Common Files\PGP Corporation 2006-09-07 12:37 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2006-09-07 12:37 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2006-09-07 12:37 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2006-09-07 12:37 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys 2006-09-07 12:37 -------- d-------- C:\Documents and Settings\Jeff\Application Data\AVG7 2006-09-07 12:36 -------- d-------- C:\Program Files\Grisoft 2006-09-07 12:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-09-05 18:28 -------- d-------- C:\Program Files\Lexmark X1100 Series 2006-09-04 12:27 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2006-09-04 12:27 -------- d-------- C:\Program Files\Internet Explorer 2006-08-24 06:16 -------- d-------- C:\Documents and Settings\Jeff\Application Data\uTorrent 2006-08-23 12:37 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Real 2006-08-23 12:20 723 --a------ C:\Program Files\INSTALL.LOG 2006-08-23 12:20 -------- d-------- C:\Program Files\Real 2006-08-23 12:20 -------- d-------- C:\Program Files\Common Files\xing shared 2006-08-23 12:20 -------- d-------- C:\Program Files\Common Files\Real 2006-08-23 12:20 -------- d-------- C:\Program Files\aod 2006-08-06 00:46 -------- d-------- C:\Program Files\Windows Live Safety Center 2006-08-06 00:45 -------- d-------- C:\Program Files\Hijackthis 2006-08-06 00:40 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Nova Development 2006-08-06 00:34 -------- d-------- C:\Program Files\Adobe 2006-08-05 17:37 -------- d-------- C:\Program Files\TPS Photo Projects Suite 2006-08-04 21:23 -------- d-------- C:\Program Files\Cox 2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-26 08:28 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Adobe 2006-07-26 08:24 -------- d-------- C:\Program Files\Common Files\Adobe 2006-07-25 15:25 -------- d-------- C:\Program Files\Microsoft Picture It! PhotoPub 2006-07-24 17:56 -------- d-------- C:\Program Files\ewido anti-malware 2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-07-17 09:45 1038 --a------ C:\Documents and Settings\Jeff\Application Data\AdobeDLM.log 2006-07-17 09:45 0 --a--c--- C:\Documents and Settings\Jeff\Application Data\dm.ini 2006-07-10 11:27 -------- d-------- C:\Program Files\TorrenTopia 2006-06-23 11:33 349 --a------ C:\Documents and Settings\Jeff\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log 2006-06-23 11:33 0 --a------ C:\Documents and Settings\Jeff\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "masqform.exe"="C:\\Program Files\\PureEdge\\Viewer 6.0\\masqform.exe -UpdateCurrentUser" "Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\"" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB002\" /M \"Stylus CX3800\"" "HPHUPD08"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "NWEReboot"="" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\"" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe" "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot" "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoDriveAutoRun"=dword:ffffffff [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" Completion time: 06-09-08 22:53:26.75 ComboFix.txt ComboFix2.txt ComboFix3.txt Thought maybe this might help?? Don't really know about this one

09-09-2006, 02:14 AM	#12 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello again! As long as you're still having issues, we'll be here for you. You're welcome to donate if you wish -- there's a link in my signature. HijackThis will take a little longer to scan your O15s now because you have the extra protection from IE-SpyAd. IE-SpyAd has added all those restricted sites to your registry, and HijackThis has to scan through all of that even though it doesn't end up displaying them. There are thousands of entries from IE-SpyAd, so give it some extra time. It'll finish eventually. Even with the ComboFix log, I don't see anything obvious. Do you remember what the trojan's name was that you deleted? Let's run a couple more tools to see if we can find anything. But before that, I noticed you may have P2P software (i.e. TorrenTopia, uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. Download SilentRunners Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts. Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file with a name lie "Startup Programs (COMPUTERNAME) DATE TIME.txt". Post ALL its contents here in your next reply. Download Blacklight Beta Download and run Blacklight. Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this. When it finishes, click Next, and then click on Close. BlackLight beta should create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log. Save PestPatrol Logfile Start eTrust PestPatrol. Click on the Advanced Settings text, the click on Log under the Manage section. Click the Save Log button and save the file to your Desktop. It should be named PestPatrol5Log.csv. You can open this file up in Notepad -- please post it's contents with your next reply. With Your Next Post... Please paste the following with your next reply (in this order please): The contents of the file named similar to Startup Programs (COMPUTERNAME) DATE TIME.txt, The contents of the Blacklight fsbl-<date-and-time>.log, The contents of PestPatrol5Log.csv, The latest Ewido log from C:\Program Files\ewido anti-spyware 4.0\Reports, and a new HiJackThis log. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

09-10-2006, 11:28 AM	#14 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	I just wanted to let you know that I found sillyDI YQ in hkey_local_machine\software\policies it was in etrust and I deleted them so hopefully they are really gone. I wish I could show you the log from them I just can't figure out how to post or change it from excel.

09-10-2006, 11:30 AM	#15 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	shoot one more thing I kept forgetting to tell you. I can delete utorrent and the others we don't use them anymore, but I do use myspace and I think that is killing me what do you think?

09-10-2006, 12:31 PM	#16 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hi, Sorry I didn't get back to you last night. My computer started acting up and I shut it down for the night. It seems to be happier now. I don't see anything in your StartDreck logs, and all those entries in your firewall log are from legitimate programs (SiteAdvisor, PestPatrol, AVG, Google Desktop, Real Player, Microsoft Money). I'm not sure why they say "Hijacking" but they're really not. You may need to tell your firewall that these connections are okay and to not warn you about them. For the ePest log file that would only open in Excel, next time you can tell the file to open in another application. Right-click on the icon and select "Open With" and either select Notepad from the menu or choose Notepad under the "Choose Program..." option. No need to do it now; I'm fairly convinced that you're fine. I'm glad you found the registry key. That may have driven me nuts for awhile. And regarding MySpace, it's fairly safe. There has been some talk recently that some malware is spreading through MySpace ads every so often, but you should be protected from it as long as you stay up to date with your patches. Be safe! __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

09-11-2006, 02:57 PM	#17 (permalink)
lisa0477 Registered User Join Date: Sep 2006 Posts: 37 OS: WINXP professional 2002, sp2	I just now got a chance to get back to you. I think I should be fine. I am getting a little more use to figuring out what to look out for. Thanks for your help. CAn I ask you something that has been driving me crazy for this past week. My freaking little clock on my computer is in military time I have tried and tried to change it and it won't stay norma l, same with the date. PLease tell me what to do. I am about to blow it up....

09-11-2006, 11:28 PM	#18 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	LOL. I'm going to answer this last question then have the thread closed. You're clean and OS questions should really be posted in the Windows forum. However, this one is easy. Go to Start->Run, type in intl.cpl and hit OK. In the dialog that pops up, click on the Customize button. Select the Time tab and for the time format, select hh:mm:ss tt. Click OK. Then click the Date tab and adjust your date to whatever suits you. If you press Apply before OK, you can see what the new format will be in the "sample" text boxes. Click OK several times to get out of the dialog box and you should be set! __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006