Critical System Errors!

shark3189 · 11-30-2006, 07:16 PM

Lately, I have been getting a very annoying message on my system tray saying something about critical system errors. I did tons of spyware and anti-virus checks and it is still there, so here I am.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:43 PM, on 11/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\fredmh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\Perfect Codec\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\Perfect Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

thanks in advance

**Deckard** · 12-02-2006, 01:29 PM

Hello, and welcome to the HijackThis Help Forum.

Apologies for any delay in replying, but we have been rather busy lately.

Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance.

Thank you.

shark3189 · 12-02-2006, 08:36 PM

It's no problem, you guys are doing this for free and i appreciate it. I got rid of the critical system error, but Ill post another log just to be safe.
Logfile of HijackThis v1.99.1
Scan saved at 11:35:11 PM, on 12/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\fredmh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\Perfect Codec\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\Perfect Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

**Deckard** · 12-02-2006, 08:56 PM

Did you run SmitfraudFix? If not, I'll give you instructions.

shark3189 · 12-02-2006, 09:21 PM

I used something similar i think, it was called prevx1 and it seemed to work because the message is gone and so is the icon.

**Deckard** · 12-02-2006, 11:29 PM

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

There's another tool we use that does a great job at cleaning up remnants. You still have a few traces in your HJT log, so let's run the tool to get rid of those and whatever else might be lurking.

I've noticed that we've cleaned you up quite a few times. Is there a reason why you haven't updated to service pack 2?

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Download CleanUp!
Download and install CleanUp! but do not run it yet.

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.

Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware.

Load AVG Anti-Spyware and then click the Shield tab at the top
- Click on the word active to change it to inactive.
Click the Update tab at the top:
- Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
- Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
Click the Scanner tab at the top and then the Settings sub-tab:
- Under How to act?, click Recommended actions and select Quarantine.
- Under Reports, select Automatically generate report after every scan
Close AVG Anti-Spyware. Do not run a scan with it yet.

Download SmitfraudFix
Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop, but don't do anything else with it yet.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

Run SmitfraudFix
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and pressing Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted: " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and pressing Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
- Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
Click OK.
Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.

Fix Desktop
Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Run AVG Anti-Spyware

Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
If Set all elements to is not set to Quarantine (1), please click Recommended Action and choose Quarantine from the popup menu (2).
At the bottom of the window, click on the Apply all actions button (3).
When it has finished, click the Save Scan Report button (4), then click Save Report As and save the report it to your desktop.
Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.

Re-run SmitfraudFix
Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Select option #3 - Delete Trusted zone by typing 3 and pressing Enter.

NOTE: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

Download Autoruns

Please download Autoruns and AutoCmd.
Extract the contents of Autoruns into a new folder.
Now extract the contents of AutoCmd into the same folder as Autoruns. This is important!
Double-click on AutoCmd.cmd & select option '1'
It will produce a log called autoruns_X_Y.txt (where X and Y are the date and time respectively). Please attach the log in your next reply.

Generate An Uninstall List

Open HijackThis.
Click on the "Configure" button on the bottom right.
Click on the tab "Misc Tools".
Click on the Box that says "Open Uninstall Manager".
Click on the button "Save list"

Please save a copy and paste the contents with your next reply.

With Your Next Post...
Please paste the following with your next reply (in this order please):

The contents of C:\rapport.txt,
AVG Anti-Spyware scan report,
Kaspersky scan report,
your Autoruns log,
your uninstall list, and
a new HiJackThis log taken after Kaspersky finishes.

shark3189 · 12-04-2006, 06:33 PM

I have no idea why I haven't updated to SP2, I thought I did a long time ago but apparently I never did. Anyway, here are the logs:

SmitFraudFix v2.127

Scan done at 18:30:50.46, 12/03/2006
Run from C:\Documents and Settings\MD\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ab340860-fd81-4a65-b345-82eb77a66b5e}"="featherweed"

[HKEY_CLASSES_ROOT\CLSID\{ab340860-fd81-4a65-b345-82eb77a66b5e}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ab340860-fd81-4a65-b345-82eb77a66b5e}\InProcServer32]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:31:19 PM 12/03/2006

+ Scan result:

C:\WINDOWS\SYSTEM32\cacore.dll -> Adware.Coupons : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.44:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.45:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.46:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.52:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.533:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.54:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.78:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.79:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.80:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.81:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.82:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.83:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.308:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.309:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.114:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.838:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.172:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.173:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.174:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.175:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.667:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.874:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.875:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.876:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.842:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Quarterserver : Cleaned.
:mozilla.150:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.151:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.152:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.153:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.154:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.155:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.177:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.178:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.179:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.180:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.181:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.182:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.183:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.184:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.185:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.186:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.187:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.188:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.189:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.190:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.191:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.192:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.193:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.194:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.195:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.196:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.197:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.198:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.199:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.200:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.201:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.202:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.203:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.204:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.536:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.363:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.364:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.365:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.808:C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\default.77v\cookies.txt -> TrackingCookie.Weborama : Cleaned.
C:\Mark's Folder\Soldat\1.3\Speed_Hack.zip/speed_hack/undetected speedhack/c5x1.dll -> Trojan.Agent.a : Cleaned with backup (quarantined).
C:\Mark's Folder\Soldat\1.3\Speed_Hack.zip/speed_hack/undetected speedhack/s3r.dll -> Trojan.Agent.d : Cleaned with backup (quarantined).

::Report end

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 04, 2006 9:17:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/12/2006
Kaspersky Anti-Virus database records: 248059
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\

Scan Statistics:
Total number of scanned objects: 125708
Number of viruses found: 11
Number of infected objects: 22 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:22:39

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\DRIVERS\sptd0269.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC\mirc.exe.bak Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03900000.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00C40000.VBN Infected: Exploit.Win32.IMG-WMF.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN Infected: Trojan-PSW.Win32.Sagic.15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN Infected: not-a-virus:PSWTool.Win32.Brutus skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06F40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06780000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06F40001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00FC0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01000000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01000000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01000000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01000000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01000000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E80000.VBN Infected: Trojan-Downloader.Win32.Zlob.abw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E80002.VBN Infected: Trojan-Downloader.Win32.Zlob.abw skipped
C:\Documents and Settings\MD\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Temp\~DF3357.tmp Object is locked skipped
C:\Documents and Settings\MD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\MD\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\MD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\MD\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\MD\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\System Volume Information\_restore{54A708CC-4098-4B73-B137-FDCCC63519A9}\RP286\change.log Object is locked skipped
C:\hijackthis\backups\backup-20051213-211450-883.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped

Scan process completed.

MD - 12/04/2006@21:27:33.05
running from C:\Documents and Settings\MD\Desktop\Autoruns\

Other users of this machine:
* Administrator

----------------------------------------------------------------------------------

HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Guard
AVG Anti-Spyware guard
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe
Crypkey License
CrypKey NT Service
(Not verified) Kenonic Controls Ltd.
c:\windows\system32\crypserv.exe
DefWatch
Virus Definition Daemon
(Not verified) Symantec Corporation
c:\program files\symantec_client_security\symantec antivirus\defwatch.exe
Norton AntiVirus Server
Provides real-time virus scanning, reporting, and management functionality for Symantec Client Security.
(Not verified) Symantec Corporation
c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe
NVSvc
Provides system and desktop level support to the NVIDIA display driver
(Not verified) NVIDIA Corporation
c:\windows\system32\nvsvc32.exe
Pml Driver HPZ12
PML Driver
(Not verified) HP
c:\windows\system32\hpzipm12.exe
SoundMAX Agent Service (default)
SoundMAX service agent component
(Not verified) Analog Devices, Inc.
c:\program files\analog devices\soundmax\smagent.exe
StyleXPService
StyleXPService Module
c:\program files\tgtsoft\stylexp\stylexpservice.exe
vsmon
Monitors internet traffic and generates alerts for disallowed access.
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\zonelabs\vsmon.exe

HKLM\System\CurrentControlSet\Services
ASAPIW2k
ASAPI
(Not verified) Pinnacle Systems GmbH
c:\windows\system32\drivers\asapiw2k.sys
AVG Anti-Spyware Driver
c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
AvgAsCln
AVG7 Clean Driver
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avgascln.sys
BANTExt
c:\windows\system32\drivers\bantext.sys
DCamUSBSQTECH
Universal Serial Bus Camera Driver
(Not verified) Service & Quality Technology.
c:\windows\system32\drivers\sqcaptur.sys
drvmcdb
Device Driver
(Not verified) VERITAS Software, Inc.
c:\windows\system32\drivers\drvmcdb.sys
EagleNT
File not found: C:\WINDOWS\System32\drivers\EagleNT.sys
FGUARD32
Folder Guard Device Driver
(Not verified) WinAbility® Software Corporation
c:\program files\folder guard pro xp\fguard32.sys
FILESpy
File not found: C:\Program Files\BullGuard\filespy.sys
GEARAspiWDM
CD/DVD Class Filter Driver
(Verified) GEAR Software Inc.
c:\windows\system32\drivers\gearaspiwdm.sys
giveio
c:\windows\system32\giveio.sys
imagedrv
NERO IMAGEDRIVE SCSI miniport
(Not verified) Ahead Software AG
c:\windows\system32\drivers\imagedrv.sys
imagesrv
Nero Image Server
(Not verified) Ahead Software AG
c:\windows\system32\drivers\imagesrv.sys
NAVAP
AutoProtect
(Not verified) Symantec Corporation
c:\program files\symantec_client_security\symantec antivirus\navap.sys
NAVAPEL
NAVAPEL
(Not verified) Symantec Corporation
c:\program files\symantec_client_security\symantec antivirus\navapel.sys
NAVENG
AV Engine
(Verified) Symantec Corporation
c:\program files\common files\symantec shared\virusdefs\20061129.017\naveng.sys
NAVEX15
AV Engine
(Verified) Symantec Corporation
c:\program files\common files\symantec shared\virusdefs\20061129.017\navex15.sys
NetworkX
c:\windows\system32\ckldrv.sys
NPF
NPF Driver - TME extensions
(Not verified) Politecnico di Torino
c:\windows\system32\drivers\npf.sys
nv
NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.94
(Not verified) NVIDIA Corporation
c:\windows\system32\drivers\nv4_mini.sys
padenum
Enumerador NTPAD
(Not verified) Windows (R) 2000 DDK provider
c:\windows\system32\drivers\padenum.sys
PCLEPCI
PCLEPCI
(Not verified) Pinnacle Systems GmbH
c:\windows\system32\drivers\pclepci.sys
PxHelp20
Px Engine Device Driver for Windows 2000/XP
(Not verified) Sonic Solutions
c:\windows\system32\drivers\pxhelp20.sys
REGSpy
File not found: C:\Program Files\BullGuard\regspy.sys
RioS10
RioS10.sys
(Not verified) SonicBlue Inc.
c:\windows\system32\drivers\rios10.sys
rxp
File not found: C:\WINDOWS\system32\drivers\rxp.sys
SbcpHid
File not found: C:\WINDOWS\System32\Drivers\SbcpHid.sys
Secdrv
SafeDisc driver
(Not verified) Macrovision Europe Ltd
c:\windows\system32\drivers\secdrv.sys
sfdrv01
StarForce Protection Environment Driver
(Not verified) Protection Technology
c:\windows\system32\drivers\sfdrv01.sys
sfhlp02
StarForce Protection Helper Driver
(Not verified) Protection Technology
c:\windows\system32\drivers\sfhlp02.sys
sfsync02
StarForce Protection Synchronization Driver
(Not verified) Protection Technology
c:\windows\system32\drivers\sfsync02.sys
SMBios
Intel(R) System Management BIOS Driver
(Not verified) Intel Corporation
c:\windows\system32\drivers\smbios.sys
speedfan
SpeedFan Device Driver
(Not verified) Windows (R) 2000 DDK provider
c:\windows\system32\speedfan.sys
sptd
c:\windows\system32\drivers\sptd.sys
srescan
srescan
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\zonelabs\srescan.sys
StyleXPHelper
StyleXP
(Not verified) Windows (R) 2000 DDK provider
c:\program files\tgtsoft\stylexp\stylexphelper.exe
SymEvent
Symantec Event Library
(Verified) Symantec Corporation
c:\program files\symantec\symevent.sys
vaxscsi
SCSI miniport
(Verified) DAEMON Tools Code Signing Services
c:\windows\system32\drivers\vaxscsi.sys
VendorJoystickEnabler
NTPAD Console GamePad Controller for Windows 2000
(Not verified) Triforce
c:\windows\system32\drivers\ntpad.sys
vsdatant
TrueVector Device Driver
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\vsdatant.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
NavLogon
File not found: C:\WINDOWS\System32\NavLogon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
hpzlnt07
(Not verified) HP
c:\windows\system32\hpzlnt07.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Smapp
SoundMAX System Tray
(Not verified) Analog Devices, Inc.
c:\program files\analog devices\soundmax\smtray.exe
IntelliType
Microsoft IntelliType Pro
(Not verified) Microsoft Corporation
c:\program files\microsoft hardware\keyboard\type32.exe
HPDJ Taskbar Utility
(Not verified) HP
c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
vptray
Symantec AntiVirus
(Not verified) Symantec Corporation
c:\program files\symantec_client_security\symantec antivirus\vptray.exe
dla
Direct Access Component
(Not verified) VERITAS Software, Inc.
c:\windows\system32\dla\tfswctrl.exe
StorageGuard
VERITAS Update Manager
(Not verified) VERITAS Software, Inc.
c:\program files\veritas software\update manager\sgtray.exe
NeroFilterCheck
NeroCheck
(Not verified) Ahead Software Gmbh
c:\windows\system32\nerocheck.exe
AtiPTA
ATI Desktop Control Panel
(Not verified) ATI Technologies, Inc.
c:\windows\system32\atiptaxx.exe
PinnacleDriverCheck
c:\windows\system32\psdrvcheck.exe
USBToolTip
USBTip MFC Application
(Not verified) Pinnacle Systems
c:\program files\pinnacle\shared files\programs\usbtip\usbtip.exe
SunJavaUpdateSched
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_09\bin\jusched.exe
IntelliPoint
Point32.exe
(Not verified) Microsoft Corporation
c:\program files\microsoft intellipoint\point32.exe
HP Software Update
Hewlett-Packard Product Assistant
(Not verified) Hewlett-Packard Co.
c:\program files\hp\hp software update\hpwuschd2.exe
NvCplDaemon
NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
nwiz
NVIDIA nView Wizard, Version 110.09
(Not verified) NVIDIA Corporation
c:\windows\system32\nwiz.exe
NvMediaCenter
NVIDIA Media Center Library
(Not verified) NVIDIA Corporation
c:\windows\system32\nvmctray.dll
Zone Labs Client
Zone Labs Client
(Verified) Check Point Software Technologies Inc.
c:\program files\zone labs\zonealarm\zlclient.exe
QuickTime Task
QuickTime Task
(Not verified) Apple Computer, Inc.
c:\program files\quicktime alternative\qttask.exe
iTunesHelper
iTunesHelper Module
(Verified) Apple Computer, Inc.
c:\program files\itunes\ituneshelper.exe
!AVG Anti-Spyware
AVG Anti-Spyware
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe

HKLM\SOFTWARE\Classes\Protocols\Filter
application/octet-stream
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-complus
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-msdownload
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll

HKLM\SOFTWARE\Classes\Protocols\Handler
belarc
Belarc VoilaX Control
(Not verified) Belarc, Inc.
c:\program files\belarc\advisor\system\bavoilax.dll
ms-help
Microsoft® Help Data Services Module
(Not verified) Microsoft Corporation
c:\program files\common files\microsoft shared\help\hxds.dll
msnim
MSN Messenger Protocol Handler
(Not verified) Microsoft Corporation
c:\program files\msn messenger\msgrapp.dll

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a
Microsoft .NET IE SECURITY REGISTRATION
(Not verified) Microsoft Corporation
c:\windows\system32\mscories.dll
CRLUpdate
UPDCRL
(Not verified) Microsoft Corporation
c:\windows\system32\updcrl.exe
Power Policy Settings
File not found: setupx.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Printkey2000.lnk
(Not verified) Fred's Software
c:\program files\printkey2000\printkey2000.exe
HP Digital Imaging Monitor.lnk
HP Digital Imaging Monitor
(Not verified) Hewlett-Packard Co.
c:\program files\hp\digital imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk
HP Image Zone
(Not verified) Hewlett-Packard Co.
c:\program files\hp\digital imaging\bin\hpqthb08.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
STYLEXP
StyleXP Application
c:\program files\tgtsoft\stylexp\stylexp.exe

Task Scheduler
Tune-up Application Start.job
File not found: walign
AppleSoftwareUpdate.job
Software Application
(Verified) Apple Computer, Inc.
c:\program files\apple software update\softwareupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SSVHelper Class
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_09\bin\ssv.dll
CoTGT_BHO Class
c:\program files\tgtsoft\stylexp\tgt_bho.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
AVG Anti-Spyware 7.5
AVG Anti-Spyware shellexecutehook
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Display Panning CPL Extension
File not found: deskpan.dll
Thumbnails
Thumbnail View Extension
(Not verified) Microsoft Corporation
c:\windows\system32\thumbvw.dll
IntelliType Pro Key Settings Control Panel Property Page
Microsoft IntelliType Pro
(Not verified) Microsoft Corporation
c:\program files\microsoft hardware\keyboard\itcpl.dll
Shell Extensions for RealOne Player
RealPlayer Shell Extensions
(Not verified) RealNetworks, Inc.
c:\program files\real\realone player\rpshell.dll
RD1021/1071 Lyra Personal Audio Player ApplicationsShell Hook
RD1021/1071 Lyra Personal Audio Player Shell Extension
(Not verified) Thomson Inc.
c:\windows\system32\thmsn21h.dll
Default Image Extrator for Properties
Thumbnail View Extension
(Not verified) Microsoft Corporation
c:\windows\system32\thumbvw.dll
LDVP Shell Extensions
Symantec AntiVirus
(Not verified) Symantec Corporation
c:\program files\common files\symantec shared\ssc\vpshell2.dll
WinRAR shell extension
c:\program files\winrar\rarext.dll
DriveLetterAccess
Direct Access Component
(Not verified) VERITAS Software, Inc.
c:\windows\system32\dla\tfswshx.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing, Inc.
c:\program files\winzip\wzshlstb.dll
iTunes
iTunes Mini Player DLL
(Verified) Apple Computer, Inc.
c:\program files\itunes\itunesminiplayer.dll
Fusion Cache
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
IntelliPoint Wireless Control Panel Property Page
ipcplwir.dll
(Not verified) Microsoft Corporation
c:\program files\microsoft intellipoint\ipcplwir.dll
IntelliPoint Wheel Control Panel Property Page
ipcplwhl.dll
(Not verified) Microsoft Corporation
c:\program files\microsoft intellipoint\ipcplwhl.dll
IntelliPoint Activities Control Panel Property Page
ipcplact.dll
(Not verified) Microsoft Corporation
c:\program files\microsoft intellipoint\ipcplact.dll
IntelliPoint Buttons Control Panel Property Page
ipcplbtn.dll
(Not verified) Microsoft Corporation
c:\program files\microsoft intellipoint\ipcplbtn.dll
NvCpl DesktopContext Class
NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
Desktop Explorer
NVIDIA Desktop Explorer, Version 110.09
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
Desktop Explorer Menu
NVIDIA Desktop Explorer, Version 110.09
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
nView Desktop Context Menu
NVIDIA Desktop Explorer, Version 110.09
(Not verified) NVIDIA Corporation
c:\windows\system32\nvshell.dll
Play on my TV helper
NVIDIA Display Properties Extension
(Not verified) NVIDIA Corporation
c:\windows\system32\nvcpl.dll
EditPlus Context Menu Handler
c:\program files\editplus 2\eppshell.dll
ShellLink for Application References
Application Deployment Support Library
(Not verified) Microsoft Corporation
c:\windows\system32\dfshim.dll
Shell Icon Handler for Application References
Application Deployment Support Library
(Not verified) Microsoft Corporation
c:\windows\system32\dfshim.dll
PowerISO
PowerISOShell DLL
(Not verified) PowerISO Computing, Inc.
c:\program files\poweriso\pwrisosh.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Microsoft Outlook Custom Icon Handler
Microsoft Outlook Shell Hook for Start/Find
(Not verified) Microsoft Corporation
c:\program files\microsoft office\office\olkfstub.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions
AIM
AOL Instant Messenger
(Verified) America Online, Inc.
c:\program files\aim\aim.exe
Messenger
Messenger
(Not verified) Microsoft Corporation
c:\program files\messenger\msmsgs.exe

Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
AIM 6.0
AOL Instant Messenger
Apple Software Update
ATI Display Driver
AVG Anti-Spyware 7.5
Azureus
BearShare
Belarc Advisor 7.0
CCleaner (remove only)
Cheating-Death 4.33.4
CIS RecordNow DX
CIS RecordNow DX Update Manager
CleanUp!
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
DFX for Windows Media Player
DivX
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
dvdSanta 4.00
EditPlus 2
EVEREST Corporate Edition v2.50
EVGA Display Driver
Folder Guard
GameSpy Arcade
HijackThis 1.99.1
HP Extended Capabilities 4.7
HP Image Zone 4.7
hp instant support
HP PSC & OfficeJet 4.7
HP Software Update
IMSI Applications
InterActual Player
Internet Explorer Q831167
iPod for Windows 2006-03-23
iPod Updater 2004-11-15
Ipswitch WS_FTP Professional 2006
iTunes
J2SE Development Kit 5.0 Update 9
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_05
JCreator LE 3.50
Kaspersky Online Scanner
LEGO Star Wars II
LimeWire 4.10.9
LiveUpdate 1.90 (Symantec Corporation)
Logitech Gaming Software
Macro Express 3
Macromedia Shockwave Player
Media Library Management Wizard
Microangelo Toolset 6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft IntelliType Pro 2.2
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Office FrontPage 2003
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Web Publishing Wizard 1.53
mIRC
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (1.5)
Mozilla Firefox (2.0)
MSN Messenger 7.5
MSXML 6.0 Parser
MUSICMATCH® Jukebox
Nero 6 Ultra Edition
Oblivion
Panda ActiveScan
Passware Kit 6.1
Personal License Update Wizard for Windows Media Player
PowerDVD
PowerISO
PrintKey2000
PrintMaster Platinum 4.00
QuickTime
QuickTime Alternative 1.75
RD1021/1071 Lyra Personal Audio Player Applications
RealPlayer
Rio Music Manager
SC-KeyLog 2.25
Soldat 1.3
Sony DVD Architect 3.0c
SoundMAX
SpeedFan (remove only)
Spy Sweeper
Spybot - Search & Destroy 1.3.1 TX
SpywareBlaster v3.2
Steam
Studio 9
StyleXP (remove only)
SwiftSwitch
The Games Factory
Update for Windows XP (KB898461)
VERITAS DLA
Viewpoint Media Player
Vitalize!
Web Savings from Ebates
Westwood Shared Internet Components
Windows Installer 3.0 (KB884016)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB842773
Windows XP Uninstall
WinRAR archiver
WinZip
Wolverine-Theme.zip
Xfire (remove only)
XviD 1.1 final uninstall
ZoneAlarm Pro

Logfile of HijackThis v1.99.1
Scan saved at 9:30:39 PM, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\fredmh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

**Deckard** · 12-04-2006, 07:48 PM

I see you have a "undetected speed hack" installed for Soldat. We are not here to pass judgment; however, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

The same goes for P2P software - we don't pass judgment, but using it can make you more susceptible to re-infection.

I strongly urge you to update to SP2 when I declare your machine clean (but not before; SP2 should only be installed on a malware free machine). It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, I will have you return to the Windows Update page and install SP2. I will also then advise you on how to better protect yourself online.

Clear Cookies
Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear.

Clean Quarantine
Please follow Symantec's guide to clean out your Norton quarantine directory.

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint Media Player
Web Savings from Ebates

Please let me know if any of these were unable to uninstall.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Mark's Folder\Soldat\1.3\Speed_Hack.zip
C:\Program Files\Viewpoint

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.

Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
Enter your e-mail address, country, and state and click Scan Now.
Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
Begin the scan by selecting My Computer. Note:
- Please turn off the real time scanner of any existing antivirus program while performing the online scan.
- Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
- Click on See report then click Save report.
- It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

With Your Next Post...
Please paste the following with your next reply (in this order please):

Panda scan report,
a new HiJackThis log taken after Panda finishes.

Also let me know how your machine is behaving now.

shark3189 · 12-05-2006, 01:21 PM

Ok, viewpoint uninstalled but i got an error from the web savings one:

Incident Status Location

Adware:adware/ncase Not disinfected c:\windows\system32\SAIEAU.DAT
Adware:adware/oemji Not disinfected C:\Documents and Settings\MD\Application Data\SpamExtract
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/portalscan Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/iedriver Not disinfected Windows Registry
Adware:adware/seeqbar Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MD\Desktop\SmitfraudFix\Process.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\DEFAULT.77V\COOKIES.TXT[.com.com/]
Adware:Adware/WUpd Not disinfected C:\hijackthis\BACKUPS\backup-20041003-213452-817.inf
Adware:Adware/AzeSearch Not disinfected C:\hijackthis\BACKUPS\backup-20051213-211451-885.inf

Logfile of HijackThis v1.99.1
Scan saved at 4:21:27 PM, on 12/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\fredmh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Thanks again for your help

**Deckard** · 12-05-2006, 08:04 PM

You can get rid of the Ebates like so:

Uninstall Manager

Run HijackThis.
Go to Config || Misc Tools
Click the button labelled "Open Uninstall Manager".
To get a quick uninstall Log, click the "Save List" button
Find and select the following entries in order and click "Delete This Entry" for each one:
Web Savings from Ebates
When you've got them all, close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist:

C:\Documents and Settings\MD\Application Data\SpamExtract
C:\hijackthis\BACKUPS\backup-20041003-213452-817.inf
C:\hijackthis\BACKUPS\backup-20051213-211451-885.inf
C:\WINDOWS\system32\SAIEAU.DAT

Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address. The most important step is that you update your machine to Service Pack 2.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm and then click OK.

Reset System Restore

Go to Start>Run, type SYSDM.CPL and press Enter.
Select the System Restore tab.
Check "Turn off System Restore on all drives" and click Apply.
Now uncheck the same option and click OK.

Re-enable Protection
Turn back on any malware prevention tools we might have had you switch off.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

WMF exploit: KB912919
VML exploit: KB925486

Enable Windows Auto Update:

Go to Start>Run, type WUAUCPL.CPL and press Enter.
Make sure "Keep my computer up to date" is checked.
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Update Java
You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop.
Close any programs you may have running -- especially your web browser(s).
Go to Start→Control Panel double-click on Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each version of Java.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_10-windowsi586-p.exe to install the newest version.
After the reboot, go back into the Control Panel and double-click the Java icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL three checked:
- Downloaded Applets
- Downloaded Applications
- Other Files
Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache.
Click OK to leave the Java Control Panel.

Tool Deletions
Feel free to remove these tools and their folders:

Autoruns and AutoCmd
CleanUp! (uninstall from Add/Remove Programs)
SmitfraudFix

You may want to keep AVG Anti-Spyware, as it will offer you some additional protection. It is a free 30 day trial, after which time you will need to manually update it yourself.

Malware Prevention
This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them.

Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer".

The following is a list of free software we recommend:

Antivirus
AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.

AOL Active Virus Shield (powered by Kaspersky Antivirus)
BitDefender
Avira PersonalEdition Classic
Avast!
AVG

Firewalls
A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:

Realtime Malware Prevention Tools
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.

Passive Malware Prevention Tools
These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.

Alternative Web Browsers
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Alternative Miscellaneous
Here are some alternatives that are worth looking into if you use their features:

Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.)
Miranda-IM - another Instant Messenger client with multiple IM capabilities.
Desktop Weather - A taskbar weather program that is free and resource light.

Please respond to this thread one more time so we can mark this thread as resolved.

shark3189 · 12-08-2006, 09:58 PM

My computer is running fine now. I upgraded to SP2 and kept AVG, thank you for all your help.

11-30-2006, 07:16 PM	#1 (permalink)
shark3189 Registered User Join Date: Jul 2004 Posts: 85 OS: Windows XP	Critical System Errors! Lately, I have been getting a very annoying message on my system tray saying something about critical system errors. I did tons of spyware and anti-virus checks and it is still there, so here I am. Logfile of HijackThis v1.99.1 Scan saved at 10:12:43 PM, on 11/30/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\rundll32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\PrintKey2000\Printkey2000.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\hijackthis\fredmh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\Perfect Codec\isaddon.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\Perfect Codec\iesplugin.dll (file missing) O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe thanks in advance

12-02-2006, 01:29 PM	#2 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello, and welcome to the HijackThis Help Forum. Apologies for any delay in replying, but we have been rather busy lately. Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance. Thank you. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

12-02-2006, 08:56 PM	#4 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Did you run SmitfraudFix? If not, I'll give you instructions. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

12-02-2006, 11:29 PM	#6 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. There's another tool we use that does a great job at cleaning up remnants. You still have a few traces in your HJT log, so let's run the tool to get rid of those and whatever else might be lurking. I've noticed that we've cleaned you up quite a few times. Is there a reason why you haven't updated to service pack 2? Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Download CleanUp! Download and install CleanUp! but do not run it yet. WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp! WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it. Download AVG Anti-Spyware Please download, install, and update AVG Anti-Spyware. Load AVG Anti-Spyware and then click the Shield tab at the top Click on the word active to change it to inactive. Click the Update tab at the top: Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater. Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours. Click the Scanner tab at the top and then the Settings sub-tab: Under How to act?, click Recommended actions and select Quarantine. Under Reports, select Automatically generate report after every scan Close AVG Anti-Spyware. Do not run a scan with it yet. Download SmitfraudFix Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop, but don't do anything else with it yet. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. Run SmitfraudFix Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and pressing Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted: " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and pressing Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Run CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked. Click OK. Press the CleanUp! button to start the program. Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later. Fix Desktop Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. Run AVG Anti-Spyware Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. If Set all elements to is not set to Quarantine (1), please click Recommended Action and choose Quarantine from the popup menu (2). At the bottom of the window, click on the Apply all actions button (3). When it has finished, click the Save Scan Report button (4), then click Save Report As and save the report it to your desktop. Close AVG Anti-Spyware. Reboot Reboot your system to Normal Mode. Re-run SmitfraudFix Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Select option #3 - Delete Trusted zone by typing 3 and pressing Enter. NOTE: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. Download Autoruns Please download Autoruns and AutoCmd. Extract the contents of Autoruns into a new folder. Now extract the contents of AutoCmd into the same folder as Autoruns. This is important! Double-click on AutoCmd.cmd & select option '1' It will produce a log called autoruns_X_Y.txt (where X and Y are the date and time respectively). Please attach the log in your next reply. Generate An Uninstall List Open HijackThis. Click on the "Configure" button on the bottom right. Click on the tab "Misc Tools". Click on the Box that says "Open Uninstall Manager". Click on the button "Save list" Please save a copy and paste the contents with your next reply. With Your Next Post... Please paste the following with your next reply (in this order please): The contents of C:\rapport.txt, AVG Anti-Spyware scan report, Kaspersky scan report, your Autoruns log, your uninstall list, and a new HiJackThis log taken after Kaspersky finishes. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

12-04-2006, 07:48 PM	#8 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	I see you have a "undetected speed hack" installed for Soldat. We are not here to pass judgment; however, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. The same goes for P2P software - we don't pass judgment, but using it can make you more susceptible to re-infection. I strongly urge you to update to SP2 when I declare your machine clean (but not before; SP2 should only be installed on a malware free machine). It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, I will have you return to the Windows Update page and install SP2. I will also then advise you on how to better protect yourself online. Clear Cookies Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear. Clean Quarantine Please follow Symantec's guide to clean out your Norton quarantine directory. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint Media Player Web Savings from Ebates Please let me know if any of these were unable to uninstall. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Mark's Folder\Soldat\1.3\Speed_Hack.zip C:\Program Files\Viewpoint Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker. Enter your e-mail address, country, and state and click Scan Now. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control. Begin the scan by selecting My Computer. Note: Please turn off the real time scanner of any existing antivirus program while performing the online scan. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report. It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report. With Your Next Post... Please paste the following with your next reply (in this order please): Panda scan report, a new HiJackThis log taken after Panda finishes. Also let me know how your machine is behaving now. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

12-02-2006, 08:36 PM	#3 (permalink)
shark3189 Registered User Join Date: Jul 2004 Posts: 85 OS: Windows XP	It's no problem, you guys are doing this for free and i appreciate it. I got rid of the critical system error, but Ill post another log just to be safe. Logfile of HijackThis v1.99.1 Scan saved at 11:35:11 PM, on 12/02/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\PrintKey2000\Printkey2000.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\wuauclt.exe C:\hijackthis\fredmh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\Perfect Codec\isaddon.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\Perfect Codec\iesplugin.dll (file missing) O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

12-02-2006, 09:21 PM	#5 (permalink)
shark3189 Registered User Join Date: Jul 2004 Posts: 85 OS: Windows XP	I used something similar i think, it was called prevx1 and it seemed to work because the message is gone and so is the icon.

12-05-2006, 01:21 PM	#9 (permalink)
shark3189 Registered User Join Date: Jul 2004 Posts: 85 OS: Windows XP	Ok, viewpoint uninstalled but i got an error from the web savings one: Incident Status Location Adware:adware/ncase Not disinfected c:\windows\system32\SAIEAU.DAT Adware:adware/oemji Not disinfected C:\Documents and Settings\MD\Application Data\SpamExtract Adware:adware/wintools Not disinfected Windows Registry Adware:adware/portalscan Not disinfected Windows Registry Adware:adware/savenow Not disinfected Windows Registry Adware:adware/iedriver Not disinfected Windows Registry Adware:adware/seeqbar Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\MD\Desktop\SmitfraudFix\Process.exe Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\DEFAULT.77V\COOKIES.TXT[.com.com/] Adware:Adware/WUpd Not disinfected C:\hijackthis\BACKUPS\backup-20041003-213452-817.inf Adware:Adware/AzeSearch Not disinfected C:\hijackthis\BACKUPS\backup-20051213-211451-885.inf Logfile of HijackThis v1.99.1 Scan saved at 4:21:27 PM, on 12/05/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\crypserv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\PrintKey2000\Printkey2000.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\hijackthis\fredmh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1164431353828 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8F865F4B-9048-4E25-9760-06632857B582}: NameServer = 167.206.245.82,167.206.245.83 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Thanks again for your help

12-05-2006, 08:04 PM	#10 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	You can get rid of the Ebates like so: Uninstall Manager Run HijackThis. Go to Config \|\| Misc Tools Click the button labelled "Open Uninstall Manager". To get a quick uninstall Log, click the "Save List" button Find and select the following entries in order and click "Delete This Entry" for each one: Web Savings from Ebates When you've got them all, close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist: C:\Documents and Settings\MD\Application Data\SpamExtract C:\hijackthis\BACKUPS\backup-20041003-213452-817.inf C:\hijackthis\BACKUPS\backup-20051213-211451-885.inf C:\WINDOWS\system32\SAIEAU.DAT Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address. The most important step is that you update your machine to Service Pack 2. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm and then click OK. Reset System Restore Go to Start>Run, type SYSDM.CPL and press Enter. Select the System Restore tab. Check "Turn off System Restore on all drives" and click Apply. Now uncheck the same option and click OK. Re-enable Protection Turn back on any malware prevention tools we might have had you switch off. Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection. Please ensure that you have already patched your system against these recent critical exploits: WMF exploit: KB912919 VML exploit: KB925486 Enable Windows Auto Update: Go to Start>Run, type WUAUCPL.CPL and press Enter. Make sure "Keep my computer up to date" is checked. Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Update Java You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without multi-language and save to your desktop. Close any programs you may have running -- especially your web browser(s). Go to Start→Control Panel double-click on Add/Remove Programs. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each version of Java. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_10-windowsi586-p.exe to install the newest version. After the reboot, go back into the Control Panel and double-click the Java icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL three checked: Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window. NOTE: This deletes ALL of the Downloaded Applications and Applets from the cache. Click OK to leave the Java Control Panel. Tool Deletions Feel free to remove these tools and their folders: Autoruns and AutoCmd CleanUp! (uninstall from Add/Remove Programs) SmitfraudFix You may want to keep AVG Anti-Spyware, as it will offer you some additional protection. It is a free 30 day trial, after which time you will need to manually update it yourself. Malware Prevention This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them. Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer". The following is a list of free software we recommend: Antivirus AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one. AOL Active Virus Shield (powered by Kaspersky Antivirus) BitDefender Avira PersonalEdition Classic Avast! AVG Firewalls A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Sunbelt Kerio Personal Firewall Outpost Firewall PRO Realtime Malware Prevention Tools These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time. Spyware Guard Spybot Search & Destroy AdAware WinPatrol - with tutorial Passive Malware Prevention Tools These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources. SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates. IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage. MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites. McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox. Alternative Web Browsers Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites. Firefox Opera Alternative Miscellaneous Here are some alternatives that are worth looking into if you use their features: Trillian - an Instant Messenger client that speaks multiple IM services (AIM, Yahoo!, ICQ, MSN, etc.) Miranda-IM - another Instant Messenger client with multiple IM capabilities. Desktop Weather - A taskbar weather program that is free and resource light. Please respond to this thread one more time so we can mark this thread as resolved. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

12-08-2006, 09:58 PM	#11 (permalink)
shark3189 Registered User Join Date: Jul 2004 Posts: 85 OS: Windows XP	My computer is running fine now. I upgraded to SP2 and kept AVG, thank you for all your help.