please help me with this unknown ctpmon.exe

edchar · 01-26-2007, 10:21 AM

Iv'e got a problem here that always appear in my computer. when i turned on my pc i automatically received this problem "unknown registry 2123 error of ctpmon.exe. there are 3 choices for me to choose,it is "help" , "restart" and "ask me later". I can't leave my computer for a while because this security error has a time countdown then automatically restarts. please help me on this problem. I saw this problem in C:/windows/system32. please follow up on this problem and help me.thank you.

tetonbob · 01-27-2007, 08:13 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

edchar · 01-28-2007, 01:17 AM

SmitFraudFix v2.137

Scan done at 16:34:30.32, Sun 01/28/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ctpmon.exe FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data

C:\Documents and Settings\user\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

This is the result of SmitFraud.exe

edchar · 01-28-2007, 01:19 AM

Logfile of HijackThis v1.99.1
Scan saved at 4:35:14 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctpmon.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

This is the result of HijackThis.exe

tetonbob · 01-28-2007, 08:34 AM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

You have a few different infections on this system. This may take some time to clear out.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

From the main screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit AVG Anti-Spyware. DO NOT scan yet.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

We'll use this later.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe
O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab

All O18 entries like this next one, EXCEPT the first one:

O18 - Protocol: bw+0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: intel3 - intel3.dll (file missing)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINDOWS\system\svchost32.exe<<<Note the exact location and spelling of this file!
C:\WINDOWS\system32\lmovie.exe

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
Hijackthis log

edchar · 01-29-2007, 05:32 AM

SmitFraudFix v2.137

Scan done at 18:31:24.10, Mon 01/29/2007
Run from D:\my documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ctpmon.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

This is the Rapport results.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:32:01 PM 1/29/2007

+ Scan result:

D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP230\A0127245.exe -> Adware.MyWay : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP230\A0127242.reg -> Trojan.Disabler.c : Cleaned with backup (quarantined).

::Report end

This is the report of AVG anti-spyware results.

Incident Status Location

Adware:adware/adsmart Not disinfected c:\windows\system32\VX.TLL
Virus:trj/abwiz.a Disinfected Operating system
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/quickbar Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\USER\Desktop\SmitfraudFix\Process.exe
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\USER\Application Data\Install.dat
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DON\Desktop\SmitfraudFix\Process.exe
Spyware:Spyware/Conducent-Timesink Not disinfected D:\Games\ROAD RACING\Oxide\TSUninstaller.exe
Adware:Adware/SaveNow Not disinfected D:\my documents\PAOLA\SETUP\bsplayer142.833.exe[SetupInst.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\my documents\SmitfraudFix\Process.exe

This was the Pandalog scan results.

Logfile of HijackThis v1.99.1
Scan saved at 8:29:43 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\my documents\charry\Zuma.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

This is the results of the scan of HijackThis.exe..

When I turned my computer to safe mode and run the HijackThis.exe, you told me to check this O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe and fix it,but when i tried it in safe mode,there's no result that appears the same as this file you wanted me to fix/delete..When I switched to the normal mode of my windows xp, i tried run the HijackThis.exe and I saw this file here in normal mode but in safe mode, there is no result that appears there. How come in normal mode there's this file O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe and when in safe mode,there's no file that appears like that?. Is my process correct? Please help me

tetonbob · 01-29-2007, 10:13 AM

If you didn't log on in safe mode to the same user account, the HKCU would not appear. Did you happen to log on in the Administrator account instead of your usual account?

In normal mode:

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe

Create an uninstall list:

With HiJackThis still open

Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\WINDOWS\system32\lmovie.exe
C:\Documents and Settings\USER\Application Data\Install.dat
c:\windows\system32\VX.TLL

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log (located at C:\ComboFix.txt) in your next reply with a new HJT log and the uninstall list

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

edchar · 01-29-2007, 09:10 PM

"user" - 07-01-30 12:05:36 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dlh9jkd1q8.exe

((((((((((((((((((((((((((((((( Files Created from 2006-12-30 to 2007-01-30 ))))))))))))))))))))))))))))))))))

2007-01-29 19:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-28 16:28 <DIR> d-------- C:\DOCUME~1\user\Application Data\Symantec
2007-01-28 16:06 <DIR> d--hs---- C:\FOUND.018
2007-01-28 15:40 2,520 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-28 15:39 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-28 15:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-28 15:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-28 15:39 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-28 15:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-28 15:39 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-28 09:44 <DIR> d-------- C:\DOCUME~1\don\Application Data\Apple Computer
2007-01-27 12:34 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-01-27 12:22 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-27 12:21 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-27 12:16 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-01-27 12:16 <DIR> d-------- C:\DOCUME~1\don\WINDOWS
2007-01-27 12:15 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-01-27 01:05 <DIR> d-------- C:\Program Files\HijackThis
2007-01-27 01:00 <DIR> d---s---- C:\DOCUME~1\don\UserData
2007-01-27 00:51 <DIR> d-------- C:\DOCUME~1\don\Application Data\GRETECH
2007-01-27 00:43 <DIR> d--hs---- C:\FOUND.017
2007-01-26 23:44 <DIR> d-------- C:\DOCUME~1\don\Application Data\Symantec
2007-01-26 23:43 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-26 23:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2007-01-26 20:47 <DIR> dr-h----- C:\DOCUME~1\don\Application Data\yahoo!
2007-01-26 12:14 <DIR> d-------- C:\DOCUME~1\don\Application Data\Google
2007-01-26 11:47 <DIR> d-------- C:\DOCUME~1\don\Application Data\AVG7
2007-01-26 11:47 <DIR> d-------- C:\DOCUME~1\don\Application Data\Adobe
2007-01-23 18:08 <DIR> d-------- C:\DOCUME~1\user\Application Data\AdobeAUM
2007-01-22 19:51 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-22 19:51 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-22 19:51 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-22 19:51 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-22 19:51 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-22 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-22 19:06 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-22 18:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-19 11:45 102,400 --a------ C:\WINDOWS\system32\advvpi32.dll
2007-01-18 20:34 38,912 --a------ C:\WINDOWS\system32\icf.exe
2007-01-16 18:21 74,938 --a------ C:\Program Files\Uninstall.exe
2007-01-11 17:47 102,400 -ra------ C:\WINDOWS\system32\grdmgr.exe
2007-01-07 13:41 <DIR> d--hs---- C:\FOUND.016
2007-01-05 22:29 <DIR> d--hs---- C:\FOUND.015
2007-01-03 20:01 <DIR> d--hs---- C:\FOUND.014

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-29 23:00 1408 --a------ C:\DOCUME~1\user\Application Data\.googlewebacchosts
2006-12-29 14:28 -------- d-------- C:\Program Files\whale communications
2006-12-26 10:53 -------- d-------- C:\Program Files\abacast
2006-12-25 22:53 -------- d-------- C:\DOCUME~1\user\Application Data\gretech
2006-12-23 02:14 1220608 -ra------ C:\WINDOWS\system32\clubbox.exe
2006-12-19 14:37 737280 --a------ C:\WINDOWS\iun6002.exe
2006-12-19 14:37 -------- d-------- C:\Program Files\andreamosaic
2006-12-01 11:33 61440 --a------ C:\WINDOWS\system32\nod.dll
2006-12-01 11:27 52778 --a------ C:\WINDOWS\system32\clubboxuninstall.exe
2006-11-29 23:41 327680 -ra------ C:\WINDOWS\system32\grdupdater.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE ZSMC USB PC Camera"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ClubBox"=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"!AVG Anti-Spyware"="\"D:\\Program Files\\avg antispyware\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"="C:\\WINDOWS\\TEMP\\315765.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"WinMedia"="C:\\WINDOWS\\TEMP\\315765.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NPKCRYPT

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-30 12

57

Results of Combofix.exe

Logfile of HijackThis v1.99.1
Scan saved at 12:07:38 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Results of the HJT.exe

µTorrent
Abacast Client
Ad-Aware SE Professional
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
AnalogX NetStat Live
AndreaMosaic 3.20
Apple Software Update
Aqua Pearls
AVG Anti-Spyware 7.5
AVG Free Edition
Barbie ® Nail Designer(TM)
Chikka (3.0.47)
CleanUp!
Clubbox ÆÄÀÏÀü¼Û°ü¸®ÀÚ
Diner Dash - Flo on the Go (remove only)
EPSON Printer Software
Gift Shop (remove only)
GOM Player
Google Earth
Google Toolbar for Internet Explorer
Google Web Accelerator
HijackThis 1.99.1
iPod for Windows 2005-02-22
iTunes
J2SE Runtime Environment 5.0 Update 3
LEGO Chic Boutique (remove only)
LimeWire 4.12.6
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79
Microsoft Cubicle Chaos for Pocket PC (Remove Only)
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
MSN
MSN Music Assistant
Network Play System (Patching)
O2Jam_PH
Panda ActiveScan
Puzzle Bobble 2x
QuickTime
Ragnarok Online
Ragnarok Online
RegFix Mantra v2.1
Sandlot Games Client Services
Shockwave
Tekken Advance
The Sims
Tumblebugs
Update for Windows XP (KB898461)
Whale Communications' Client Components v3.1.2
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
WinZip
World Book Student Dictionary
XviD 1.1 final uninstall
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Toolbar
ZSMC USB PC Camera

Results of Uninstall list.

tetonbob · 01-29-2007, 10:37 PM

Please do this:

Download the Registry Search Tool from this page:
http://www.billsway.com/vbspage/
You'll have to scroll down the page to find it.
Unzip it and run it.
If your antivirus interferes, you have to disable script blocking in the antivirus.
Put the following in the search box:

{309C96FA-8C40-4bce-879C-989DC33DCD25}

Let it start the scan.
Post the results of the textfile you get in your next reply.

edchar · 01-30-2007, 03:48 AM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{309C96FA-8C40-4bce-879C-989DC33DCD25}" 1/30/2007 6:47:53 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{309C96FA-8C40-4bce-879C-989DC33DCD25}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{309C96FA-8C40-4bce-879C-989DC33DCD25}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"

[HKEY_USERS\S-1-5-21-507921405-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"

This are the results.

tetonbob · 01-30-2007, 07:30 AM

P2P - I see you have P2P software ( µTorrent, LimeWire 4.12.6 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

---------------------------------------------------------------------------------------------

I have attached a file to this post - edcharfix.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\WINDOWS\system32\icf.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Then repeat as above for the following files in BOLD:

C:\WINDOWS\system32\grdmgr.exe
C:\WINDOWS\system32\advvpi32.dll
Once scanned, copy and paste the results in your next reply.

Also, I need more information for this file -> C:\WINDOWS\system32\grdmgr.exe
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. Is it related to clubbox?

---------------------------------------------------------------------------------------------

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply.

Also post a new HJT log, and let me know how your system is behaving.

edchar · 01-31-2007, 06:54 AM

STATUS: FINISHEDComplete scanning result of "icf.exe", received in VirusTotal at 01.30.2007, 15:57:02 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.30.2007 TR/Ozdok.B.39
Authentium 4.93.8 01.29.2007 no virus found
Avast 4.7.936.0 01.29.2007 no virus found
AVG 386 01.30.2007 no virus found
BitDefender 7.2 01.30.2007 Trojan.Ozdok.B
CAT-QuickHeal 9.00 01.29.2007 no virus found
ClamAV devel-20060426 01.30.2007 no virus found
DrWeb 4.33 01.30.2007 no virus found
eSafe 7.0.14.0 01.30.2007 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.128 01.30.2007 no virus found
eTrust-Vet 30.3.3358 01.29.2007 no virus found
Ewido 4.0 01.30.2007 no virus found
Fortinet 2.85.0.0 01.30.2007 suspicious
F-Prot 4.2.1.29 01.30.2007 no virus found
Ikarus T3.1.0.27 01.30.2007 Trojan.Win32.Agent.aek
Kaspersky 4.0.2.24 01.30.2007 Trojan.Win32.Agent.aek
McAfee 4951 01.29.2007 no virus found
Microsoft 1.2101 01.30.2007 no virus found
NOD32v2 2019 01.30.2007 a variant of Win32/Ozdok.A
Norman 5.80.02 01.30.2007 no virus found
Panda 9.0.0.4 01.29.2007 no virus found
Prevx1 V2 01.30.2007 no virus found
Sophos 4.13.0 01.28.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 no virus found
Symantec 10 01.30.2007 no virus found
TheHacker 6.0.3.159 01.28.2007 no virus found
UNA 1.83 01.29.2007 no virus found
VBA32 3.11.2 01.29.2007 no virus found
VirusBuster 4.3.19:9 01.30.2007 no virus found

Aditional Information
File size: 38912 bytes
MD5: 5b935f7d05f0176d48f88912f147cfd9
SHA1: 4b78942acd30b25b5b126e9fd2c106910bdb3c12
packers: UPX
packers: UPX
packers: UPX

This is the result of icf.exe

STATUS: FINISHEDComplete scanning result of "grdmgr.exe", received in VirusTotal at 01.30.2007, 16:08:18 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.30.2007 no virus found
Authentium 4.93.8 01.29.2007 no virus found
Avast 4.7.936.0 01.29.2007 no virus found
AVG 386 01.30.2007 no virus found
BitDefender 7.2 01.30.2007 no virus found
CAT-QuickHeal 9.00 01.29.2007 no virus found
ClamAV devel-20060426 01.30.2007 no virus found
DrWeb 4.33 01.30.2007 no virus found
eSafe 7.0.14.0 01.30.2007 no virus found
eTrust-InoculateIT 23.73.128 01.30.2007 no virus found
eTrust-Vet 30.3.3358 01.29.2007 no virus found
Ewido 4.0 01.30.2007 no virus found
Fortinet 2.85.0.0 01.30.2007 no virus found
F-Prot 4.2.1.29 01.30.2007 no virus found
Ikarus T3.1.0.27 01.30.2007 no virus found
Kaspersky 4.0.2.24 01.30.2007 no virus found
McAfee 4951 01.29.2007 no virus found
Microsoft 1.2101 01.30.2007 no virus found
NOD32v2 2020 01.30.2007 no virus found
Norman 5.80.02 01.30.2007 no virus found
Panda 9.0.0.4 01.29.2007 no virus found
Prevx1 V2 01.30.2007 Win32.Malware.gen
Sophos 4.13.0 01.28.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 no virus found
Symantec 10 01.30.2007 no virus found
TheHacker 6.0.3.159 01.28.2007 no virus found
UNA 1.83 01.29.2007 no virus found
VBA32 3.11.2 01.29.2007 no virus found
VirusBuster 4.3.19:9 01.30.2007 no virus found

Aditional Information
File size: 102400 bytes
MD5: ee38e27d2e0d51c1acc8b4bc7ea9ae6d

This is the result of grdmgr.exe

STATUS FINISHEDComplete scanning result of advvpi32.dll, received in VirusTotal at 01.30.2007, 161545 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.30.2007 WormMydoom.102400.1
Authentium 4.93.8 01.29.2007 no virus found
Avast 4.7.936.0 01.29.2007 no virus found
AVG 386 01.30.2007 no virus found
BitDefender 7.2 01.30.2007 Generic.Mydoom.7454ACA1
CAT-QuickHeal 9.00 01.29.2007 no virus found
ClamAV devel-20060426 01.30.2007 no virus found
DrWeb 4.33 01.30.2007 Trojan.Spambot
eSafe 7.0.14.0 01.30.2007 no virus found
eTrust-InoculateIT 23.73.128 01.30.2007 no virus found
eTrust-Vet 30.3.3358 01.29.2007 no virus found
Ewido 4.0 01.30.2007 no virus found
Fortinet 2.85.0.0 01.30.2007 no virus found
F-Prot 4.2.1.29 01.30.2007 no virus found
Ikarus T3.1.0.27 01.30.2007 no virus found
Kaspersky 4.0.2.24 01.30.2007 no virus found
McAfee 4951 01.29.2007 no virus found
Microsoft 1.2101 01.30.2007 no virus found
NOD32v2 2020 01.30.2007 no virus found
Norman 5.80.02 01.30.2007 no virus found
Panda 9.0.0.4 01.29.2007 Suspicious file
Prevx1 V2 01.30.2007 no virus found
Sophos 4.13.0 01.28.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 no virus found
Symantec 10 01.30.2007 no virus found
TheHacker 6.0.3.159 01.28.2007 no virus found
UNA 1.83 01.29.2007 no virus found
VBA32 3.11.2 01.29.2007 Trojan.Spambot
VirusBuster 4.3.199 01.30.2007 no virus found

Aditional Information
File size 102400 bytes
MD5 f044b784c799d0dc4ba15a0124b2ec28
SHA1 66d3b1b0f9b9f698986cd12b09dbb7a6aae02550

This is the result of advvpi32.dll

File version: 1.0.0.19
Description: 나우콤 캐쉬 매니저
Copyright: (C) NOWCOM. All rights reserved.

Company: 나우콤 캐쉬 매니저
File Version: 1, 0, 0, 19
Internal Name: GRDMgr.exe
Language: Korean
Original File name: GRDMgr.exe
Product Name: GRDMgr
Product Version: 1, 0, 0, 19

I really don't know if this is related to club box. My sister usually uses the club box upon downloading some korean movies or musics.

BitDefender Online Scanner - Real Time Virus Report

Generated at: Wed, Jan 31, 2007 - 21:51:09

--------------------------------------------------------------------------------

Scan Info

Scanned Files
438944

Infected Files
17

Virus Detected

Trojan.Muldrop.1869.A
2

Trojan.Downloader.Tibs.BDE
3

Application.Adware.NewDotNet.B.Dropper
2

BehavesLike:Win32.RemoteInjector
2

BehavesLike:Trojan.StartPage
1

Trojan.WhenU.H
1

Generic.Mydoom.7454ACA1
6

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

This is the result of BitDefender Online scanning.

BitDefender Online Scanner

Scan report generated at: Wed, Jan 31, 2007 - 21:47:52

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time
01:17:50

Files
438543

Folders
5502

Boot Sectors
4

Archives
1747

Packed Files
57637

Results

Identified Viruses
4

Infected Files
11

Suspect Files
6

Warnings
0

Disinfected
0

Deleted Files
17

Engines Info

Virus Definitions
394422

Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126473.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126473.dll
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe
Suspected of: BehavesLike:Trojan.StartPage

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe
Disinfection failed

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126505.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126505.dll
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126765.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126765.dll
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126802.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126802.dll
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126828.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126828.dll
Deleted

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133382.dll
Infected with: Generic.Mydoom.7454ACA1

C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133382.dll
Deleted

C:\$VAULT$.AVG\00363062.FIL
Suspected of: Trojan.Downloader.Tibs.BDE

C:\$VAULT$.AVG\00363062.FIL
Disinfection failed

C:\$VAULT$.AVG\00363062.FIL
Deleted

C:\$VAULT$.AVG\00362078.FIL
Suspected of: Trojan.Downloader.Tibs.BDE

C:\$VAULT$.AVG\00362078.FIL
Disinfection failed

C:\$VAULT$.AVG\00362078.FIL
Deleted

C:\$VAULT$.AVG\02823937.FIL
Suspected of: Trojan.Downloader.Tibs.BDE

C:\$VAULT$.AVG\02823937.FIL
Disinfection failed

C:\$VAULT$.AVG\02823937.FIL
Deleted

D:\Games\Imation\CowHunter\COWTRN.EXE
Suspected of: BehavesLike:Win32.RemoteInjector

D:\Games\Imation\CowHunter\COWTRN.EXE
Disinfection failed

D:\Games\Imation\CowHunter\COWTRN.EXE
Deleted

D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE
Suspected of: BehavesLike:Win32.RemoteInjector

D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE
Disinfection failed

D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE
Deleted

D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0020
Detected with: Application.Adware.NewDotNet.B.Dropper

D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0020
Deleted

D:\my documents\paola\wallpapaers\sbspwp1.exe
Update failed

D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023
Infected with: Trojan.Muldrop.1869.A

D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023
Disinfection failed

D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023
Deleted

D:\my documents\paola\wallpapaers\sbspwp1.exe
Update failed

D:\my documents\paola\wallpapaers\sponge.exe=>wise0020
Detected with: Application.Adware.NewDotNet.B.Dropper

D:\my documents\paola\wallpapaers\sponge.exe=>wise0020
Deleted

D:\my documents\paola\wallpapaers\sponge.exe
Update failed

D:\my documents\paola\wallpapaers\sponge.exe=>wise0023
Infected with: Trojan.Muldrop.1869.A

D:\my documents\paola\wallpapaers\sponge.exe=>wise0023
Disinfection failed

D:\my documents\paola\wallpapaers\sponge.exe=>wise0023
Deleted

D:\my documents\paola\wallpapaers\sponge.exe
Update failed

D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe
Infected with: Trojan.WhenU.H

D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe
Disinfection failed

D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe
Deleted

D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)
Update failed

The report of the BitDefender Online scanning.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:00 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\my documents\Dondon\bot\bot\akong BS\wxstart.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

The Report of the HJT.exe

edchar · 01-31-2007, 07:07 AM

My computer I think is back to normal but when I turn on my computer,when starting up its very slow that I think it reaches 4-7 mins. just to load the start up of my computer. But when I looked at the results of the BitDefender Online,There still have viruses and still it might cause problems here in our computer.

tetonbob · 01-31-2007, 09:33 AM

Delete these files:

C:\WINDOWS\system32\icf.exe
C:\WINDOWS\system32\advvpi32.dll

If they resist deletion, boot to safe mode and delete from there.

--------------------------------------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

--------------------------------------------------------------------------------------------------------

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.

Hope that helps your startup time.

WindowBlinds is also resource intensive.

--------------------------------------------------------------------------------------------------------

As you can see from BitDefender, some wallpapers and games were infected. Be careful what you download and install.

Let's run one more tool.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, along with a new HJT log.

edchar · 01-31-2007, 09:09 PM

Here in my start window, there's no RUN that appears here not like on my other account,the extension account. Here in the administrators account,there is only "help and support" and "search" but theres no RUN there. reply asap thanks.

tetonbob · 01-31-2007, 10:19 PM

You can access the Run box by pressing the Win key (Windows Icon, between left Ctrtl and Alt) + the R key at the same time.

Let's get it out into the open.

Right Click on the Start Button.

Select Properties.

On the Start Menu tab, click on the Customize Button.

In the Customize Start Menu window, Click on the Advanced tab.

Under Start Menu items, scroll down to Run Command, and place a check in the box.

Click OK, then Click Apply, and then Click OK.

You should now have Run box on Start Menu.

You can also access System Restore by doing this:

SYSTEM RESTORE XP

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

If you have trouble, let me know, otherwise, carry on from here.

edchar · 02-01-2007, 05:22 AM

I've Tried all the processes that you told me to do for the RUN command to appear. But still nothing happened,the RUN command didn't appear in the start menu and all you've told me didnt work for it to restore. Please help me asap thank you

tetonbob · 02-01-2007, 07:42 AM

For now, please move past that and perform the other instructions.

edchar · 02-02-2007, 07:01 PM

DESKTOP GAME.exe;D:\Games;Joke.Puncher;Incurable.Moved.;
Process.exe;D:\my documents\repair systems\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\Documents and Settings\don\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;D:\my documents\repair systems\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
restart.exe;C:\Documents and Settings\don\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;

This are the results of Dr.Web.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:36 AM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
D:\my documents\Dondon\bot\bot\akong BS\wxstart.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

This is the Result of HJTlog.exe.

I haven't performed the other instrutcion you told me because still there's no RUN box here in the windows start.

tetonbob · 02-02-2007, 07:40 PM

edchar -

you don't need the run box to perform the other instructions.

Flush System Restore and set a new Point using the other method.

Quote:

You can also access System Restore by doing this:

SYSTEM RESTORE XP

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Why are you now using the Administrator account, anyway? I made no mention of going into the Administrator account.

Fixing should take place in the account from which the HijackThis log is taken. Your usual account. Or use the run box in that account.

01-26-2007, 10:21 AM	#1 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	please help me with this unknown ctpmon.exe Iv'e got a problem here that always appear in my computer. when i turned on my pc i automatically received this problem "unknown registry 2123 error of ctpmon.exe. there are 3 choices for me to choose,it is "help" , "restart" and "ask me later". I can't leave my computer for a while because this security error has a time countdown then automatically restarts. please help me on this problem. I saw this problem in C:/windows/system32. please follow up on this problem and help me.thank you.

01-27-2007, 08:13 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click smitfraudfix.exe to start the tool. Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! --------------------------------------------------------------------------------------------- Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-28-2007, 01:17 AM	#3 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	SmitFraudFix v2.137 Scan done at 16:34:30.32, Sun 01/28/2007 Run from C:\Documents and Settings\user\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is FAT32 Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\ctpmon.exe FOUND ! C:\WINDOWS\system32\zlbw.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data C:\Documents and Settings\user\Application Data\Install.dat FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="wbsys.dll" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End This is the result of SmitFraud.exe Last edited by edchar; 01-28-2007 at 01:37 AM.

01-28-2007, 01:19 AM	#4 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	Logfile of HijackThis v1.99.1 Scan saved at 4:35:14 PM, on 1/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctpmon.exe C:\WINDOWS\system32\ctpmon.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [ctpmon] ctpmon.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: intel3 - intel3.dll (file missing) O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe This is the result of HijackThis.exe Last edited by edchar; 01-28-2007 at 01:36 AM.

01-28-2007, 08:34 AM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. You have a few different infections on this system. This may take some time to clear out. --------------------------------------------------------------------------------------------- Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. --------------------------------------------------------------------------------------------- I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix. Run AVG Anti-Spyware From the main screen, click on update, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Exit AVG Anti-Spyware. DO NOT scan yet. --------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only We'll use this later. --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost32.exe O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab All O18 entries like this next one, EXCEPT the first one: O18 - Protocol: bw+0s - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: intel3 - intel3.dll (file missing) Close HijackThis now. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\WINDOWS\system\svchost32.exe<<<Note the exact location and spelling of this file! C:\WINDOWS\system32\lmovie.exe --------------------------------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. --------------------------------------------------------------------------------------------- Clean out your Temporary Internet files. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Then post the following logs in your next reply... C:\rapport.txt (log from the tool) AVG Anti-Spyware log Panda log Hijackthis log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-29-2007, 05:32 AM	#6 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	SmitFraudFix v2.137 Scan done at 18:31:24.10, Mon 01/29/2007 Run from D:\my documents\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is FAT32 Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ctpmon.exe Deleted C:\WINDOWS\system32\zlbw.dll Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End This is the Rapport results. --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 7:32:01 PM 1/29/2007 + Scan result: D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP230\A0127245.exe -> Adware.MyWay : Cleaned with backup (quarantined). E:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP230\A0127242.reg -> Trojan.Disabler.c : Cleaned with backup (quarantined). ::Report end This is the report of AVG anti-spyware results. Incident Status Location Adware:adware/adsmart Not disinfected c:\windows\system32\VX.TLL Virus:trj/abwiz.a Disinfected Operating system Adware:adware/wupd Not disinfected Windows Registry Adware:adware/quickbar Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\USER\Desktop\SmitfraudFix\Process.exe Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\USER\Application Data\Install.dat Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\DON\Desktop\SmitfraudFix\Process.exe Spyware:Spyware/Conducent-Timesink Not disinfected D:\Games\ROAD RACING\Oxide\TSUninstaller.exe Adware:Adware/SaveNow Not disinfected D:\my documents\PAOLA\SETUP\bsplayer142.833.exe[SetupInst.exe] Potentially unwanted tool:Application/Processor Not disinfected D:\my documents\SmitfraudFix\Process.exe This was the Pandalog scan results. Logfile of HijackThis v1.99.1 Scan saved at 8:29:43 PM, on 1/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe D:\my documents\charry\Zuma.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe This is the results of the scan of HijackThis.exe.. When I turned my computer to safe mode and run the HijackThis.exe, you told me to check this O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe and fix it,but when i tried it in safe mode,there's no result that appears the same as this file you wanted me to fix/delete..When I switched to the normal mode of my windows xp, i tried run the HijackThis.exe and I saw this file here in normal mode but in safe mode, there is no result that appears there. How come in normal mode there's this file O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe and when in safe mode,there's no file that appears like that?. Is my process correct? Please help me Last edited by tetonbob; 01-29-2007 at 10:00 AM.

01-29-2007, 10:13 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	If you didn't log on in safe mode to the same user account, the HKCU would not appear. Did you happen to log on in the Administrator account instead of your usual account? In normal mode: Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\system32\lmovie.exe Create an uninstall list: With HiJackThis still open Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post Close HijackThis now. --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\WINDOWS\system32\lmovie.exe C:\Documents and Settings\USER\Application Data\Install.dat c:\windows\system32\VX.TLL --------------------------------------------------------------------------------------------- Download combofix.exe to your desktop. Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log (located at C:\ComboFix.txt) in your next reply with a new HJT log and the uninstall list Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-29-2007, 09:10 PM	#8 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	"user" - 07-01-30 12:05:36 Service Pack 2 ComboFix 07-01-25 - Running from: "C:\Documents and Settings\user\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\dlh9jkd1q8.exe ((((((((((((((((((((((((((((((( Files Created from 2006-12-30 to 2007-01-30 )))))))))))))))))))))))))))))))))) 2007-01-29 19:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-01-28 16:28 <DIR> d-------- C:\DOCUME~1\user\Application Data\Symantec 2007-01-28 16:06 <DIR> d--hs---- C:\FOUND.018 2007-01-28 15:40 2,520 --a------ C:\WINDOWS\system32\tmp.reg 2007-01-28 15:39 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-01-28 15:39 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-01-28 15:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-01-28 15:39 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-01-28 15:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-01-28 15:39 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-01-28 09:44 <DIR> d-------- C:\DOCUME~1\don\Application Data\Apple Computer 2007-01-27 12:34 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-01-27 12:22 <DIR> d-------- C:\Program Files\Microsoft.NET 2007-01-27 12:21 <DIR> d-------- C:\Program Files\Microsoft ActiveSync 2007-01-27 12:16 <DIR> d-------- C:\WINDOWS\SHELLNEW 2007-01-27 12:16 <DIR> d-------- C:\DOCUME~1\don\WINDOWS 2007-01-27 12:15 <DIR> d-------- C:\Program Files\Common Files\ODBC 2007-01-27 01:05 <DIR> d-------- C:\Program Files\HijackThis 2007-01-27 01:00 <DIR> d---s---- C:\DOCUME~1\don\UserData 2007-01-27 00:51 <DIR> d-------- C:\DOCUME~1\don\Application Data\GRETECH 2007-01-27 00:43 <DIR> d--hs---- C:\FOUND.017 2007-01-26 23:44 <DIR> d-------- C:\DOCUME~1\don\Application Data\Symantec 2007-01-26 23:43 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2007-01-26 23:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec 2007-01-26 20:47 <DIR> dr-h----- C:\DOCUME~1\don\Application Data\yahoo! 2007-01-26 12:14 <DIR> d-------- C:\DOCUME~1\don\Application Data\Google 2007-01-26 11:47 <DIR> d-------- C:\DOCUME~1\don\Application Data\AVG7 2007-01-26 11:47 <DIR> d-------- C:\DOCUME~1\don\Application Data\Adobe 2007-01-23 18:08 <DIR> d-------- C:\DOCUME~1\user\Application Data\AdobeAUM 2007-01-22 19:51 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2007-01-22 19:51 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys 2007-01-22 19:51 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2007-01-22 19:51 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys 2007-01-22 19:51 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2007-01-22 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft 2007-01-22 19:06 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys 2007-01-22 18:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-01-19 11:45 102,400 --a------ C:\WINDOWS\system32\advvpi32.dll 2007-01-18 20:34 38,912 --a------ C:\WINDOWS\system32\icf.exe 2007-01-16 18:21 74,938 --a------ C:\Program Files\Uninstall.exe 2007-01-11 17:47 102,400 -ra------ C:\WINDOWS\system32\grdmgr.exe 2007-01-07 13:41 <DIR> d--hs---- C:\FOUND.016 2007-01-05 22:29 <DIR> d--hs---- C:\FOUND.015 2007-01-03 20:01 <DIR> d--hs---- C:\FOUND.014 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-29 23:00 1408 --a------ C:\DOCUME~1\user\Application Data\.googlewebacchosts 2006-12-29 14:28 -------- d-------- C:\Program Files\whale communications 2006-12-26 10:53 -------- d-------- C:\Program Files\abacast 2006-12-25 22:53 -------- d-------- C:\DOCUME~1\user\Application Data\gretech 2006-12-23 02:14 1220608 -ra------ C:\WINDOWS\system32\clubbox.exe 2006-12-19 14:37 737280 --a------ C:\WINDOWS\iun6002.exe 2006-12-19 14:37 -------- d-------- C:\Program Files\andreamosaic 2006-12-01 11:33 61440 --a------ C:\WINDOWS\system32\nod.dll 2006-12-01 11:27 52778 --a------ C:\WINDOWS\system32\clubboxuninstall.exe 2006-11-29 23:41 327680 -ra------ C:\WINDOWS\system32\grdupdater.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BigDogPath"="C:\\WINDOWS\\VM_STI.EXE ZSMC USB PC Camera" "SoundMan"="SOUNDMAN.EXE" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe" "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe" "Logitech Utility"="Logi_MwX.Exe" "ClubBox"="" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "!AVG Anti-Spyware"="\"D:\\Program Files\\avg antispyware\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "appinit_dlls"="wbsys.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "WinMedia"="C:\\WINDOWS\\TEMP\\315765.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "WinMedia"="C:\\WINDOWS\\TEMP\\315765.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRun"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 newlycreated - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NPKCRYPT Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job Completion time: 07-01-30 1257 Results of Combofix.exe Logfile of HijackThis v1.99.1 Scan saved at 12:07:38 PM, on 1/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Results of the HJT.exe µTorrent Abacast Client Ad-Aware SE Professional Adobe Acrobat 5.0 Adobe Flash Player 9 ActiveX Adobe Reader 8 Adobe® Photoshop® Album Starter Edition 3.0 AnalogX NetStat Live AndreaMosaic 3.20 Apple Software Update Aqua Pearls AVG Anti-Spyware 7.5 AVG Free Edition Barbie ® Nail Designer(TM) Chikka (3.0.47) CleanUp! Clubbox ÆÄÀÏÀü¼Û°ü¸®ÀÚ Diner Dash - Flo on the Go (remove only) EPSON Printer Software Gift Shop (remove only) GOM Player Google Earth Google Toolbar for Internet Explorer Google Web Accelerator HijackThis 1.99.1 iPod for Windows 2005-02-22 iTunes J2SE Runtime Environment 5.0 Update 3 LEGO Chic Boutique (remove only) LimeWire 4.12.6 Logitech Desktop Messenger Logitech iTouch Software Logitech MouseWare 9.79 Microsoft Cubicle Chaos for Pocket PC (Remove Only) Microsoft Office Professional Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) Microsoft Visual C++ 2005 Redistributable MSN MSN Music Assistant Network Play System (Patching) O2Jam_PH Panda ActiveScan Puzzle Bobble 2x QuickTime Ragnarok Online Ragnarok Online RegFix Mantra v2.1 Sandlot Games Client Services Shockwave Tekken Advance The Sims Tumblebugs Update for Windows XP (KB898461) Whale Communications' Client Components v3.1.2 WindowBlinds Windows Installer 3.1 (KB893803) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 WinRAR archiver WinZip World Book Student Dictionary XviD 1.1 final uninstall Yahoo! Browser Services Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Mail Quick Select Tool (PhotoMail) Yahoo! Messenger Yahoo! Toolbar ZSMC USB PC Camera Results of Uninstall list. Last edited by tetonbob; 01-29-2007 at 10:23 PM.

01-29-2007, 10:37 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Please do this: Download the Registry Search Tool from this page: http://www.billsway.com/vbspage/ You'll have to scroll down the page to find it. Unzip it and run it. If your antivirus interferes, you have to disable script blocking in the antivirus. Put the following in the search box: {309C96FA-8C40-4bce-879C-989DC33DCD25} Let it start the scan. Post the results of the textfile you get in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-30-2007, 03:48 AM	#10 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{309C96FA-8C40-4bce-879C-989DC33DCD25}" 1/30/2007 6:47:53 PM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{309C96FA-8C40-4bce-879C-989DC33DCD25}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{309C96FA-8C40-4bce-879C-989DC33DCD25}\InprocServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}" [HKEY_USERS\S-1-5-21-507921405-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}" This are the results.

01-30-2007, 07:30 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	P2P - I see you have P2P software ( µTorrent, LimeWire 4.12.6 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. --------------------------------------------------------------------------------------------- I have attached a file to this post - edcharfix.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. --------------------------------------------------------------------------------------------- Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD: C:\WINDOWS\system32\icf.exe Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Then repeat as above for the following files in BOLD: C:\WINDOWS\system32\grdmgr.exe C:\WINDOWS\system32\advvpi32.dll Once scanned, copy and paste the results in your next reply. Also, I need more information for this file -> C:\WINDOWS\system32\grdmgr.exe Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. Is it related to clubbox? --------------------------------------------------------------------------------------------- Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply. Also post a new HJT log, and let me know how your system is behaving. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 10-17-2007 at 08:46 PM.

01-31-2007, 06:54 AM	#12 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	STATUS: FINISHEDComplete scanning result of "icf.exe", received in VirusTotal at 01.30.2007, 15:57:02 (CET). Antivirus Version Update Result AntiVir 7.3.0.32 01.30.2007 TR/Ozdok.B.39 Authentium 4.93.8 01.29.2007 no virus found Avast 4.7.936.0 01.29.2007 no virus found AVG 386 01.30.2007 no virus found BitDefender 7.2 01.30.2007 Trojan.Ozdok.B CAT-QuickHeal 9.00 01.29.2007 no virus found ClamAV devel-20060426 01.30.2007 no virus found DrWeb 4.33 01.30.2007 no virus found eSafe 7.0.14.0 01.30.2007 suspicious Trojan/Worm eTrust-InoculateIT 23.73.128 01.30.2007 no virus found eTrust-Vet 30.3.3358 01.29.2007 no virus found Ewido 4.0 01.30.2007 no virus found Fortinet 2.85.0.0 01.30.2007 suspicious F-Prot 4.2.1.29 01.30.2007 no virus found Ikarus T3.1.0.27 01.30.2007 Trojan.Win32.Agent.aek Kaspersky 4.0.2.24 01.30.2007 Trojan.Win32.Agent.aek McAfee 4951 01.29.2007 no virus found Microsoft 1.2101 01.30.2007 no virus found NOD32v2 2019 01.30.2007 a variant of Win32/Ozdok.A Norman 5.80.02 01.30.2007 no virus found Panda 9.0.0.4 01.29.2007 no virus found Prevx1 V2 01.30.2007 no virus found Sophos 4.13.0 01.28.2007 no virus found Sunbelt 2.2.907.0 01.26.2007 no virus found Symantec 10 01.30.2007 no virus found TheHacker 6.0.3.159 01.28.2007 no virus found UNA 1.83 01.29.2007 no virus found VBA32 3.11.2 01.29.2007 no virus found VirusBuster 4.3.19:9 01.30.2007 no virus found Aditional Information File size: 38912 bytes MD5: 5b935f7d05f0176d48f88912f147cfd9 SHA1: 4b78942acd30b25b5b126e9fd2c106910bdb3c12 packers: UPX packers: UPX packers: UPX This is the result of icf.exe STATUS: FINISHEDComplete scanning result of "grdmgr.exe", received in VirusTotal at 01.30.2007, 16:08:18 (CET). Antivirus Version Update Result AntiVir 7.3.0.32 01.30.2007 no virus found Authentium 4.93.8 01.29.2007 no virus found Avast 4.7.936.0 01.29.2007 no virus found AVG 386 01.30.2007 no virus found BitDefender 7.2 01.30.2007 no virus found CAT-QuickHeal 9.00 01.29.2007 no virus found ClamAV devel-20060426 01.30.2007 no virus found DrWeb 4.33 01.30.2007 no virus found eSafe 7.0.14.0 01.30.2007 no virus found eTrust-InoculateIT 23.73.128 01.30.2007 no virus found eTrust-Vet 30.3.3358 01.29.2007 no virus found Ewido 4.0 01.30.2007 no virus found Fortinet 2.85.0.0 01.30.2007 no virus found F-Prot 4.2.1.29 01.30.2007 no virus found Ikarus T3.1.0.27 01.30.2007 no virus found Kaspersky 4.0.2.24 01.30.2007 no virus found McAfee 4951 01.29.2007 no virus found Microsoft 1.2101 01.30.2007 no virus found NOD32v2 2020 01.30.2007 no virus found Norman 5.80.02 01.30.2007 no virus found Panda 9.0.0.4 01.29.2007 no virus found Prevx1 V2 01.30.2007 Win32.Malware.gen Sophos 4.13.0 01.28.2007 no virus found Sunbelt 2.2.907.0 01.26.2007 no virus found Symantec 10 01.30.2007 no virus found TheHacker 6.0.3.159 01.28.2007 no virus found UNA 1.83 01.29.2007 no virus found VBA32 3.11.2 01.29.2007 no virus found VirusBuster 4.3.19:9 01.30.2007 no virus found Aditional Information File size: 102400 bytes MD5: ee38e27d2e0d51c1acc8b4bc7ea9ae6d This is the result of grdmgr.exe STATUS FINISHEDComplete scanning result of advvpi32.dll, received in VirusTotal at 01.30.2007, 161545 (CET). Antivirus Version Update Result AntiVir 7.3.0.32 01.30.2007 WormMydoom.102400.1 Authentium 4.93.8 01.29.2007 no virus found Avast 4.7.936.0 01.29.2007 no virus found AVG 386 01.30.2007 no virus found BitDefender 7.2 01.30.2007 Generic.Mydoom.7454ACA1 CAT-QuickHeal 9.00 01.29.2007 no virus found ClamAV devel-20060426 01.30.2007 no virus found DrWeb 4.33 01.30.2007 Trojan.Spambot eSafe 7.0.14.0 01.30.2007 no virus found eTrust-InoculateIT 23.73.128 01.30.2007 no virus found eTrust-Vet 30.3.3358 01.29.2007 no virus found Ewido 4.0 01.30.2007 no virus found Fortinet 2.85.0.0 01.30.2007 no virus found F-Prot 4.2.1.29 01.30.2007 no virus found Ikarus T3.1.0.27 01.30.2007 no virus found Kaspersky 4.0.2.24 01.30.2007 no virus found McAfee 4951 01.29.2007 no virus found Microsoft 1.2101 01.30.2007 no virus found NOD32v2 2020 01.30.2007 no virus found Norman 5.80.02 01.30.2007 no virus found Panda 9.0.0.4 01.29.2007 Suspicious file Prevx1 V2 01.30.2007 no virus found Sophos 4.13.0 01.28.2007 no virus found Sunbelt 2.2.907.0 01.26.2007 no virus found Symantec 10 01.30.2007 no virus found TheHacker 6.0.3.159 01.28.2007 no virus found UNA 1.83 01.29.2007 no virus found VBA32 3.11.2 01.29.2007 Trojan.Spambot VirusBuster 4.3.199 01.30.2007 no virus found Aditional Information File size 102400 bytes MD5 f044b784c799d0dc4ba15a0124b2ec28 SHA1 66d3b1b0f9b9f698986cd12b09dbb7a6aae02550 This is the result of advvpi32.dll File version: 1.0.0.19 Description: 나우콤 캐쉬 매니저 Copyright: (C) NOWCOM. All rights reserved. Company: 나우콤 캐쉬 매니저 File Version: 1, 0, 0, 19 Internal Name: GRDMgr.exe Language: Korean Original File name: GRDMgr.exe Product Name: GRDMgr Product Version: 1, 0, 0, 19 I really don't know if this is related to club box. My sister usually uses the club box upon downloading some korean movies or musics. BitDefender Online Scanner - Real Time Virus Report Generated at: Wed, Jan 31, 2007 - 21:51:09 -------------------------------------------------------------------------------- Scan Info Scanned Files 438944 Infected Files 17 Virus Detected Trojan.Muldrop.1869.A 2 Trojan.Downloader.Tibs.BDE 3 Application.Adware.NewDotNet.B.Dropper 2 BehavesLike:Win32.RemoteInjector 2 BehavesLike:Trojan.StartPage 1 Trojan.WhenU.H 1 Generic.Mydoom.7454ACA1 6 -------------------------------------------------------------------------------- This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world. This is the result of BitDefender Online scanning. BitDefender Online Scanner Scan report generated at: Wed, Jan 31, 2007 - 21:47:52 Scan path: A:\;C:\;D:\;E:\;F:\; Statistics Time 01:17:50 Files 438543 Folders 5502 Boot Sectors 4 Archives 1747 Packed Files 57637 Results Identified Viruses 4 Infected Files 11 Suspect Files 6 Warnings 0 Disinfected 0 Deleted Files 17 Engines Info Virus Definitions 394422 Engine build AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42) Scan plugins 14 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions ; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126473.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126473.dll Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe Suspected of: BehavesLike:Trojan.StartPage C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe Disinfection failed C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126500.exe Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126505.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126505.dll Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126765.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126765.dll Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126802.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126802.dll Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126828.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP222\A0126828.dll Deleted C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133382.dll Infected with: Generic.Mydoom.7454ACA1 C:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133382.dll Deleted C:\$VAULT$.AVG\00363062.FIL Suspected of: Trojan.Downloader.Tibs.BDE C:\$VAULT$.AVG\00363062.FIL Disinfection failed C:\$VAULT$.AVG\00363062.FIL Deleted C:\$VAULT$.AVG\00362078.FIL Suspected of: Trojan.Downloader.Tibs.BDE C:\$VAULT$.AVG\00362078.FIL Disinfection failed C:\$VAULT$.AVG\00362078.FIL Deleted C:\$VAULT$.AVG\02823937.FIL Suspected of: Trojan.Downloader.Tibs.BDE C:\$VAULT$.AVG\02823937.FIL Disinfection failed C:\$VAULT$.AVG\02823937.FIL Deleted D:\Games\Imation\CowHunter\COWTRN.EXE Suspected of: BehavesLike:Win32.RemoteInjector D:\Games\Imation\CowHunter\COWTRN.EXE Disinfection failed D:\Games\Imation\CowHunter\COWTRN.EXE Deleted D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE Suspected of: BehavesLike:Win32.RemoteInjector D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE Disinfection failed D:\System Volume Information\_restore{3A0285BD-C464-4107-B49C-D0F2B4CDFA7E}\RP237\A0133384.EXE Deleted D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0020 Detected with: Application.Adware.NewDotNet.B.Dropper D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0020 Deleted D:\my documents\paola\wallpapaers\sbspwp1.exe Update failed D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023 Infected with: Trojan.Muldrop.1869.A D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023 Disinfection failed D:\my documents\paola\wallpapaers\sbspwp1.exe=>wise0023 Deleted D:\my documents\paola\wallpapaers\sbspwp1.exe Update failed D:\my documents\paola\wallpapaers\sponge.exe=>wise0020 Detected with: Application.Adware.NewDotNet.B.Dropper D:\my documents\paola\wallpapaers\sponge.exe=>wise0020 Deleted D:\my documents\paola\wallpapaers\sponge.exe Update failed D:\my documents\paola\wallpapaers\sponge.exe=>wise0023 Infected with: Trojan.Muldrop.1869.A D:\my documents\paola\wallpapaers\sponge.exe=>wise0023 Disinfection failed D:\my documents\paola\wallpapaers\sponge.exe=>wise0023 Deleted D:\my documents\paola\wallpapaers\sponge.exe Update failed D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe Infected with: Trojan.WhenU.H D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe Disinfection failed D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r)=>Setup.exe Deleted D:\my documents\paola\setup\bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010=>(CAB Sfx r) Update failed The report of the BitDefender Online scanning. Logfile of HijackThis v1.99.1 Scan saved at 10:07:00 PM, on 1/31/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe C:\Program Files\iPod\bin\iPodService.exe D:\my documents\Dondon\bot\bot\akong BS\wxstart.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe The Report of the HJT.exe Last edited by tetonbob; 01-31-2007 at 09:24 AM.*

01-31-2007, 07:07 AM	#13 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	My computer I think is back to normal but when I turn on my computer,when starting up its very slow that I think it reaches 4-7 mins. just to load the start up of my computer. But when I looked at the results of the BitDefender Online,There still have viruses and still it might cause problems here in our computer.

01-31-2007, 09:33 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Delete these files: C:\WINDOWS\system32\icf.exe C:\WINDOWS\system32\advvpi32.dll If they resist deletion, boot to safe mode and delete from there. -------------------------------------------------------------------------------------------------------- CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK -------------------------------------------------------------------------------------------------------- AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so: Open AVG Anti-Spyware. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. Click on Change state next to Automatic updates. It should now change to inactive. Hope that helps your startup time. WindowBlinds is also resource intensive. -------------------------------------------------------------------------------------------------------- As you can see from BitDefender, some wallpapers and games were infected. Be careful what you download and install. Let's run one more tool. * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, along with a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-31-2007, 09:09 PM	#15 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	Here in my start window, there's no RUN that appears here not like on my other account,the extension account. Here in the administrators account,there is only "help and support" and "search" but theres no RUN there. reply asap thanks.

01-31-2007, 10:19 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	You can access the Run box by pressing the Win key (Windows Icon, between left Ctrtl and Alt) + the R key at the same time. Let's get it out into the open. Right Click on the Start Button. Select Properties. On the Start Menu tab, click on the Customize Button. In the Customize Start Menu window, Click on the Advanced tab. Under Start Menu items, scroll down to Run Command, and place a check in the box. Click OK, then Click Apply, and then Click OK. You should now have Run box on Start Menu. You can also access System Restore by doing this: SYSTEM RESTORE XP To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. If you have trouble, let me know, otherwise, carry on from here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

02-01-2007, 05:22 AM	#17 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	I've Tried all the processes that you told me to do for the RUN command to appear. But still nothing happened,the RUN command didn't appear in the start menu and all you've told me didnt work for it to restore. Please help me asap thank you

02-01-2007, 07:42 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	For now, please move past that and perform the other instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

02-02-2007, 07:01 PM	#19 (permalink)
edchar Registered User Join Date: Jan 2007 Posts: 50 OS: XP	DESKTOP GAME.exe;D:\Games;Joke.Puncher;Incurable.Moved.; Process.exe;D:\my documents\repair systems\SmitfraudFix;Tool.Prockill;Incurable.Moved.; Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.; Process.exe;C:\Documents and Settings\don\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.; restart.exe;D:\my documents\repair systems\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.; restart.exe;C:\Documents and Settings\don\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.; This are the results of Dr.Web. Logfile of HijackThis v1.99.1 Scan saved at 10:00:36 AM, on 2/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VM_STI.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe D:\my documents\Dondon\bot\bot\akong BS\wxstart.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\NEWFOL~1\lavasoft\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.mcdermott.com/Interna...WhlCompMgr.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab O18 - Protocol: bw+0 - {43A2C705-95C1-465B-9522-18C7381F0326} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\avg antispyware\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe This is the Result of HJTlog.exe. I haven't performed the other instrutcion you told me because still there's no RUN box here in the windows start. Last edited by tetonbob; 02-02-2007 at 07:39 PM.