[SOLVED] Malware infection - HijackThis Log Help

acareus · 10-09-2007, 10:57 PM

hiyaa guys, i've recently posted about a problem i had yesterday about my search engine, everytime i search up information about anything and click on any link, i get re directed to a random website, although if i keep re clicking the correct site it eventually directs to it. so i've tried this with any search engine; google, yahoo and altavista and it seems to happen to all of them. "Go The Power" has kindly helped (thankies so much ^__^) and identified that it was a Malware infection and provided links. so now i've followed the steps provided by "Glaswegian".

Step 1 – i have uninstalled some malware/adware rubbish that was listed
Step 2 – i performed an online scan with Panda Scan
Step 3 – i have installed Spyware Blaster and IE-Spyad and followed the instructions
Step 4 – i was told to skip this step because I already had Service Pack 2 installed
Step 5 – installed the Deckard’s System Scanner and performed a scan

i've run a Panda Scan and it has found 1 virus/trojan, 173 adware (oh gosh) 5 hacking tools and 1 dialers.

here are the logs in the following order
Panda Log.
main.txt log.
EDIT: attached the extra.txt log on the first post

here is the Panda Log

Incident Status Location

Adware:Adware/Block-checker Not disinfected C:\WINDOWS\system32\navshext1.dll
Adware:Adware/SearchRelevancy Not disinfected C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
Adware:adware/block-checker Not disinfected c:\windows\system32\ccapp.exe
Spyware:spyware/new.net Not disinfected c:\windows\ndnuninstall6_38.exe
Adware:adware/toprebates Not disinfected c:\program files\Ebates_MoeMoneyMaker
Potentially unwanted tool:application/myway Not disinfected c:\program files\MySearch
Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevancy
Adware:adware/wupd Not disinfected c:\program files\Windows AdControl
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/localnrd Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6CB-189F-421A-88CD-07CFE51CFF10}
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/blazefind Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:spyware/shopnav Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Dialer:dialer.dk Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@112.2o7[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@888[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.sensismediasmart.com[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[3].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.pointroll[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adserver.filefront[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as1.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bfast[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@c5.zedo[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@casalemedia[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ccbill[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@clickbank[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@com[2].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter.hitslink[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter10.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter12.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter14.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter15.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter2.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter4.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter8.sextracker[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@counter9.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@drivecleaner[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ehg-dig.hitbox[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@errorsafe[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fe.lea.lycos[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@findwhat[1].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fl01.ct2.comclick[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fl01.ct2.comclick[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@gamearena.com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@go.drivecleaner[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@gostats[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@hg1.hitbox[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@hotlog[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kinghost[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@landing.domainsponsor[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@linksynergy[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@maxserving[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.adrevolver[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mediaplex[1].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@mysearch[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@offeroptimizer[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@offeroptimizer[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@paycounter[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@paypopup[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@phg.hitbox[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rn11[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@serving-sys[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sexlist[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@sextracker[1].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@spylog[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stat.onestat[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats.drivecleaner[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statse.webtrendslive[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@targetnet[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tickle[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@valueclick[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@web.tickle[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@weborama[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@winfixer[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.myaffiliateprogram[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.systemdoctor[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www1.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www2.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www3.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www6.addfreestats[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@xiti[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@xxxcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@yadro[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@z1.adserver[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@zedo[1].txt
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\conscorr.inf
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\JNH\auraupg1.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\stmtreco.exe
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI1F16.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2008.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI28EE.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI2E5D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3955.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI3C5.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI40D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI47CF.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI4D12.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI6D96.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI75BD.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THI7B50.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temp\THIE3F.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\JY87J1WH\CABMWB3X.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M9TU3YPO\CA09YV8T.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M9TU3YPO\CA6B0VHU.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M9TU3YPO\CAHORAV9.HTM
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\UHKV6FWZ\mtrslib2[1].js
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\HP_Owner\My Documents\My Received Files\MSN.CEDP.Stealer.2.zip[setup.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/nCase Not disinfected C:\Program Files\180Search\msbb.exe
Adware:Adware/TopRebates Not disinfected C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
Adware:Adware/SearchRelevancy Not disinfected C:\Program Files\SearchRelevant\SearchRelevant.dll
Adware:Adware/Relevance Not disinfected C:\Program Files\SearchRelevant\uninstall.exe
Adware:Adware/Block-checker Not disinfected C:\WINDOWS\system32\ustart.exe

-------------------------------------------------------------------------------------------------

acareus · 10-09-2007, 10:58 PM

it didn’t let me fit it all in 1 post ;___;

and here is the Deckard's System Scanner Log

Deckard's System Scanner v20070905.67
Run by HP_Owner on 2007-10-10 09:14:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
43: 2007-10-09 23:14:54 UTC - RP477 - Deckard's System Scanner Restore Point
42: 2007-10-08 09:00:33 UTC - RP476 - Installed J2SE Runtime Environment 5.0 Update 7
41: 2007-10-08 08:52:10 UTC - RP475 - System Checkpoint
40: 2007-10-03 01:04:49 UTC - RP474 - Installed VeohTV BETA
39: 2007-10-01 06:13:03 UTC - RP473 - Removed Windows Live Messenger

-- First Restore Point --
1: 2007-06-28 02:35:57 UTC - RP435 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-10 09:20:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M9TU3YPO\dss[1].exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\Program Files\SearchRelevant\SearchRelevant.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {D9E06A41-2A46-4653-9692-BE26EFE2A018} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKEY_LOCAL_MACHINE\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet6_84.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} () - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 85.255.113.132,85.255.112.195
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 85.255.113.132,85.255.112.195
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 85.255.113.132,85.255.112.195
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 85.255.113.132,85.255.112.195
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 85.255.113.132,85.255.112.195
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.195
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.195
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.195
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-10-10 07:38:27 370 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-03 21:54:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-09-10 and 2007-10-10 -----------------------------

2007-10-10 09:02:27 0 d-------- C:\Program Files\SpywareBlaster
2007-10-10 07:32:36 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-10 07:32:34 0 d-------- C:\WINDOWS\LastGood
2007-10-10 07:16:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-03 12:33:51 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2007-10-03 11:05:53 0 d-------- C:\Program Files\Veoh Networks
2007-10-02 18:19:03 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\.Torrent Swapper
2007-10-02 18:18:53 0 d-------- C:\Program Files\Swapper
2007-09-29 11:29:23 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\WinRAR
2007-09-29 02:07:52 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-29 02:05:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-29 02:05:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-29 02:05:40 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-29 02:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-29 02:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-29 02:05:40 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-29 02:05:08 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Find3M Report ---------------------------------------------------------------

2007-10-10 09:14:11 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-10-10 08:47:27 0 d-------- C:\Program Files\SearchRelevant
2007-10-10 08:46:56 0 d-------- C:\Program Files\QuickTime
2007-10-10 08:46:33 0 d-------- C:\Program Files\Norton Personal Firewall
2007-10-10 08:44:03 0 d-------- C:\Program Files\iTunes
2007-10-10 08:32:32 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-10 08:31:40 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2007-10-10 07:08:25 0 d-------- C:\Program Files\Common Files
2007-10-08 19:05:52 0 d-------- C:\Program Files\Java
2007-10-03 11:11:36 0 d-------- C:\Program Files\DivX
2007-10-03 11

49 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-01 16:13:04 0 d-------- C:\Program Files\MSN Messenger
2007-09-06 19:01:43 0 d-------- C:\Program Files\Realtek
2007-09-06 19:01:28 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2007-09-06 19:00:19 0 d-------- C:\Program Files\BitZipper
2007-09-06 12:09:53 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-09-03 16:34:21 0 d-------- C:\Program Files\Gpotato
2007-08-31 18:59:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 18:59:51 0 d-------- C:\Program Files\Telstra
2007-08-29 16:05:02 0 d-------- C:\Program Files\CEDP Stealer
2007-08-29 14:40:30 0 d-------- C:\Program Files\Bazooka Scanner
2007-08-29 14:32:09 0 d-------- C:\Program Files\iPod
2007-08-29 14:26:28 0 d-------- C:\Program Files\Apple Software Update
2007-08-29 14:26:04 0 d-------- C:\Program Files\Common Files\Apple
2007-08-28 18:27:09 0 d-------- C:\Program Files\DIFX
2007-08-18 11:27:49 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Canon
2007-08-17 17:56:25 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\ScanSoft
2007-08-17 17:56:14 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2007-08-17 17:56:14 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-17 17:55:41 0 d-------- C:\Program Files\ScanSoft
2007-08-17 17:53:45 0 d-------- C:\Program Files\ArcSoft
2007-08-17 17:52:44 0 d-------- C:\Program Files\Canon
2007-08-17 17:51:08 0 d--h----- C:\Program Files\CanonBJ

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}]
29/01/2005 08:59 PM 74240 --a------ C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}]
03/11/2005 09:46 PM 50688 --a------ C:\WINDOWS\system32\navshext1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9E06A41-2A46-4653-9692-BE26EFE2A018}]
C:\WINDOWS\lbbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [05/08/2004 05:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [05/08/2004 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [05/08/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [05/08/2004 05:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [03/05/2006 02:56 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 04:04 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [20/08/2004 02:51 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [04/04/2003 02:21 AM C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [07/06/2004 08:44 PM]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [07/06/2004 08:38 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 08:02 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/08/2004 08:34 PM]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [30/07/2004 10:34 AM]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [30/07/2004 10:41 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 08:43 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [22/12/2004 04:45 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [20/08/2004 02:55 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/03/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [25/02/2005 04:46 PM]
"SoundMan"="SOUNDMAN.EXE" [06/04/2005 06:57 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [06/04/2005 06:53 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [12/04/2005 01:10 AM C:\WINDOWS\ALCMTR.EXE]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [10/02/2005 10:32 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [28/09/2006 01:16 PM]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [11/10/2006 12:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/08/2007 08:15 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [29/08/2007 03:01 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 02:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]
"msnmsgr"="C:\PROGRA~1\MSNMES~1\msnmsgr.exe" [19/01/2007 12:54 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [12/09/2007 07:33 PM]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"MessengerPlusUninstall"=C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\MsgPlusUninst.bat"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 4:44:06 AM]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [5/03/2005 8:18:22 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [29/05/2004 5:31:38 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [11/08/2004 1:22:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 12:01:04 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [19/03/2006 8:30:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdfpq.exe"
"Userinit"="C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,"

-- End of Deckard's System Scanner: finished at 2007-10-10 09:22:19 ------------

-------------------------------------------------------------------------------------------------

and that's about it, gosh there’s just so much, sorry about that. i've done my best to provide all the information i could and if there is anything else that anyone is requesting, please tell me. much appreciation if someone could donate there time to helping me out ;D

thanks so much !

Ried · 10-17-2007, 12:22 AM

Hello acareus and welcome,

Our apologies for the oversight of your thread. We are swamped here and regrettably, many threads get overlooked.

This first round will take care of some of the infections onboard, but more will need to be done. Please be sure to stay with me even if symptoms abate.

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

acareus · 10-17-2007, 12:25 AM

EDIT: okies thank you ;D

Ried · 10-17-2007, 12:30 AM

And I just replied to your PM.

Please do follow the instructions I gave above, as you have more than just the Wareout infection onboard.

acareus · 10-17-2007, 12:57 AM

here is the ComboFix log

ComboFix 07-10-17.8 - HP_Owner 2007-10-17 16:41:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT 10:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ndnuninstall6_38.exe
C:\WINDOWS\setup.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 16:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 15:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 14:12 <DIR> d-------- C:\ie-spyad_zo
2007-10-10 09:14 <DIR> d-------- C:\Deckard
2007-10-10 09:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-10 07:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-10 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-03 12:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2007-10-03 11:11 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-10-03 11:11 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-10-03 11:11 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-10-03 11:11 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-10-03 11:11 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-03 11:05 <DIR> d-------- C:\Program Files\Veoh Networks
2007-10-02 18:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\.Torrent Swapper
2007-10-02 18:18 <DIR> d-------- C:\Program Files\Swapper
2007-09-29 02:08 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-29 02:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-29 02:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-09-29 02:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-09-29 02:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 06:40 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-17 05:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-16 23:03 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-10-11 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-11 04:21 --------- d-----w C:\Program Files\QuickTime
2007-10-11 04:20 --------- d-----w C:\Program Files\Norton Personal Firewall
2007-10-11 04:20 --------- d-----w C:\Program Files\MSN Messenger
2007-10-11 04:18 --------- d-----w C:\Program Files\iTunes
2007-10-11 04:05 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-10-09 22:47 --------- d-----w C:\Program Files\SearchRelevant
2007-10-08 09:05 --------- d-----w C:\Program Files\Java
2007-10-03 01:11 --------- d-----w C:\Program Files\DivX
2007-10-03 01:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-02 08:41 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\.Torrent Swapper
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-06 09:01 --------- d-----w C:\Program Files\Realtek
2007-09-06 09:01 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2007-09-06 09:00 --------- d-----w C:\Program Files\BitZipper
2007-09-06 02:09 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-09-03 06:34 --------- d-----w C:\Program Files\Gpotato
2007-08-31 08:59 --------- d-----w C:\Program Files\Telstra
2007-08-31 08:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-29 06:05 --------- d-----w C:\Program Files\CEDP Stealer
2007-08-29 05:02 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-29 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-29 04:40 --------- d-----w C:\Program Files\Bazooka Scanner
2007-08-29 04:32 --------- d-----w C:\Program Files\iPod
2007-08-29 04:26 --------- d-----w C:\Program Files\Common Files\Apple
2007-08-29 04:26 --------- d-----w C:\Program Files\Apple Software Update
2007-08-29 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-28 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2007-08-28 08:27 --------- d-----w C:\Program Files\DIFX
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-18 01:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Canon
2007-08-17 07:56 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-08-17 07:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-17 07:56 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\ScanSoft
2007-08-17 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-08-17 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-17 07:55 --------- d-----w C:\Program Files\ScanSoft
2007-08-17 07:53 --------- d-----w C:\Program Files\ArcSoft
2007-08-17 07:52 --------- d-----w C:\Program Files\Canon
2007-08-17 07:51 --------- d--h--w C:\Program Files\CanonBJ
2007-08-17 07:51 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2006-07-18 04:53 90,224 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}]
2005-11-03 21:46 50688 --a------ C:\WINDOWS\system32\navshext1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9E06A41-2A46-4653-9692-BE26EFE2A018}]
C:\WINDOWS\lbbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 02:21 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:44]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:38]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 20:34]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 10:34]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [2004-07-30 10:41]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 16:45]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-02-25 16:46]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 18:57 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 18:53 C:\WINDOWS\ALCWZRD.EXE]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 22:32]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-11 14:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"msnmsgr"="C:\PROGRA~1\MSNMES~1\msnmsgr.exe" [2007-01-19 12:54]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-09-12 19:33]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 20:18:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 05:31:38]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-19 08:30:54]

S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 11:54:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-17 05:40:24 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 16:46:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 16:47:26
.
--- E O F ---

and the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:46 PM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {D9E06A41-2A46-4653-9692-BE26EFE2A018} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 13340 bytes

I used a program called "Hijack This" that's correct right?

Ried · 10-17-2007, 07:41 AM

You did fine, azureus.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Close any open browsers.

--------------------------------------------------------------------

Disable Spybot TeaTimer as it may interfere with the fix below:

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {D9E06A41-2A46-4653-9692-BE26EFE2A018} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following File

C:\WINDOWS\system32\navshext1.dll

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Please run another online scan at Panda so we can see what remnants remain:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
New HijackThis log

I'd also like to review the c:\fixwareout\report.txt. Please include that report as well.

acareus · 10-17-2007, 05:50 PM

okies, here are the Panda results

Incident Status Location

Adware:adware/block-checker Not disinfected c:\windows\system32\ccapp.exe
Adware:adware/toprebates Not disinfected c:\program files\Ebates_MoeMoneyMaker
Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevancy
Adware:adware/wupd Not disinfected c:\program files\Windows AdControl
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/localnrd Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6CB-189F-421A-88CD-07CFE51CFF10}
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/blazefind Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Dialer:dialer.dk Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Adware:adware/ist.istbar Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Adware:Adware/IPInsight Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\conscorr.inf
Spyware:Spyware/BetterInet Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\JNH\auraupg1.exe
Spyware:Spyware/BetterInet Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\stmtreco.exe
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[disp350.exe]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@com[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/nCase Not disinfected C:\Program Files\180Search\msbb.exe
Adware:Adware/TopRebates Not disinfected C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
Adware:Adware/SearchRelevancy Not disinfected C:\Program Files\SearchRelevant\SearchRelevant.dll
Adware:Adware/Relevance Not disinfected C:\Program Files\SearchRelevant\uninstall.exe
Adware:Adware/Block-checker Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20071018-081747-409.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Adware:Adware/Block-checker Not disinfected C:\WINDOWS\system32\ustart.exe

new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:10 AM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12642 bytes

and the fixwareout report

Username "HP_Owner" - 18/10/2007 9:42:04 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Home Theater SchSvr"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""
"WINREMOTE"="\"C:\\Program Files\\InterVideo\\Common\\Bin\\WinRemote.exe\""
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"OpwareSE4"="\"C:\\Program Files\\ScanSoft\\OmniPageSE4.0\\OpwareSE4.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\PROGRA~1\\MSNMES~1\\msnmsgr.exe\" /background"
"Veoh"="\"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe\" /VeohHide"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~

Ried · 10-17-2007, 07:21 PM

Hi acareus,

Download Blockrem from HERE Unzip it to its own folder on your desktop.

-----------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Ebates_MoeMoneyMaker
SearchRelevant
Windows AdControl

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folders

C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\SearchRelevant
c:\program files\Windows AdControl

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6CB-189F-421A-88CD-07CFE51CFF10}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.

Once it is running please follow the onscreen instructions.

--------------------------------------------------------------------

Reboot your system into Normal Mode and run another online scan at Panda.

Please post the Panda results and a new HijackThis log.

acareus · 10-17-2007, 08:22 PM

hi Ried, i've followed the instructions up to the point where you tell me to "Open the Blockrem folder on your desktop and double-click blockrem.bat" during safemode. when i run it and follow the instructions it says "The system cannot find the file specified"

i will post the HijackThis log and Panda log as soon as the panda scan is finished which is about in 1 hour.

Ried · 10-17-2007, 08:45 PM

No worries, we'll pull it out ourselves. Please navigate to, and delete the following files:

c:\windows\system32\ccapp.exe
C:\WINDOWS\system32\ustart.exe

acareus · 10-17-2007, 09:34 PM

okie will do

now here are the panda results

Incident Status Location

Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/localnrd Not disinfected Windows Registry
Adware:adware/block-checker Not disinfected Windows Registry
Adware:adware/searchrelevancy Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10}
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/blazefind Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:Adware/IPInsight Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\conscorr.inf
Spyware:Spyware/BetterInet Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\JNH\auraupg1.exe
Spyware:Spyware/BetterInet Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\stmtreco.exe
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI1F16.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2008.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI28EE.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI2E5D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3955.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI3C5.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI40D.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI47CF.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI4D12.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI6D96.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI75BD.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THI7B50.tmp\MMaker4b.exe[disp350.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker1.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[EbatesMoeMoneyMaker0.exe]
Adware:Adware/TopRebates Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\HP_Owner\LOCALS~1\Temp\THIE3F.tmp\MMaker4b.exe[disp350.exe]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@com[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/nCase Not disinfected C:\Program Files\180Search\msbb.exe
Adware:Adware/Block-checker Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20071018-081747-409.dll
Adware:Adware/TopRebates Not disinfected C:\RECYCLER\S-1-5-21-4064605053-1521690859-1304210771-1007\Dc2\EbatesMoeMoneyMaker1.exe
Adware:Adware/SearchRelevancy Not disinfected C:\RECYCLER\S-1-5-21-4064605053-1521690859-1304210771-1007\Dc3\SearchRelevant.dll
Adware:Adware/Relevance Not disinfected C:\RECYCLER\S-1-5-21-4064605053-1521690859-1304210771-1007\Dc3\uninstall.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

and the new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:53 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12733 bytes

Ried · 10-17-2007, 09:52 PM

Hi,

Almost there.

Delete this folder:

C:\Program Files\ 180Search

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the code box below: (don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

If there aren't any more problems, please continue with these final notes:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

acareus · 10-17-2007, 10:09 PM

Quote:

Originally Posted by Ried

No worries, we'll pull it out ourselves. Please navigate to, and delete the following files:

c:\windows\system32\ccapp.exe
C:\WINDOWS\system32\ustart.exe

i tried looking for these files but there no where to be found. i found ccapp but it was in a different folder under commonfiles/symantecshared but it didn't have the same file name as ccapp.exe. just CCAPP. the ustart.exe, well i tried searching and my computer found nothing of that file.

other then that i've followed the last of your steps and will start downloading those programs you mentioned.

if that's the last of it, then i thank you so much ;D thanks for the time and effort you've put it, i really appreciate it =] i'll take care of my computer more carefully now and let's just hope it doesn't happen again ;3

Ried · 10-17-2007, 10:20 PM

Good work following the paths given.

Those files didn't appear in your last Panda scan either, so it's safe to assume BlockChecker took care of them anyway.

I did forget to instruct you to uninstall one of your AV programs. You currently have AVG free and Symantec installed and it's never a good idea to have more than 1 installed at a given time as they will conflict with one another and may cause system problems.

Choose and run only 1, and uninstall the other via the Add or Remove programs panel.

You're all set now. Take care, acareus

acareus · 10-17-2007, 10:43 PM

okay thanks so much ! i've uninstalled symantec since my subscription has expired for a while. anyways, everything else is all set =]

Ried · 10-17-2007, 10:50 PM

Norton doesn't always uninstall cleanly--just to be certain the uninstall went as it should, if you don't min, please run another scan with HijackThis and post the log.

acareus · 10-17-2007, 10:54 PM

okay, here is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:45 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12220 bytes

Ried · 10-17-2007, 11:14 PM

Quote:

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that is active on your system. http://basconotw.mvps.org/SymRem.htm

That should take care of it.

acareus · 10-17-2007, 11:46 PM

all done =]

10-17-2007, 12:22 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help Hello acareus and welcome, Our apologies for the oversight of your thread. We are swamped here and regrettably, many threads get overlooked. This first round will take care of some of the infections onboard, but more will need to be done. Please be sure to stay with me even if symptoms abate. Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 12:25 AM	#4 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: Malware infection - HijackThis Log Help EDIT: okies thank you ;D Last edited by acareus; 10-17-2007 at 12:29 AM.

10-17-2007, 12:30 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help And I just replied to your PM. Please do follow the instructions I gave above, as you have more than just the Wareout infection onboard. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 12:57 AM	#6 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: Malware infection - HijackThis Log Help here is the ComboFix log ComboFix 07-10-17.8 - HP_Owner 2007-10-17 16:41:20.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT 10:00] Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\ndnuninstall6_38.exe C:\WINDOWS\setup.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 ))))))))))))))))))))))))))))))) . 2007-10-17 16:40 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 15:40 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-11 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-10-10 14:12 <DIR> d-------- C:\ie-spyad_zo 2007-10-10 09:14 <DIR> d-------- C:\Deckard 2007-10-10 09:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 07:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-10 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus! 2007-10-03 12:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX 2007-10-03 11:11 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-10-03 11:11 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-10-03 11:11 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-10-03 11:11 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-10-03 11:11 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-10-03 11:05 <DIR> d-------- C:\Program Files\Veoh Networks 2007-10-02 18:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\.Torrent Swapper 2007-10-02 18:18 <DIR> d-------- C:\Program Files\Swapper 2007-09-29 02:08 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-09-29 02:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-09-29 02:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-09-29 02:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-09-29 02:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-17 06:40 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-10-17 05:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-10-16 23:03 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM 2007-10-11 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-10-11 04:21 --------- d-----w C:\Program Files\QuickTime 2007-10-11 04:20 --------- d-----w C:\Program Files\Norton Personal Firewall 2007-10-11 04:20 --------- d-----w C:\Program Files\MSN Messenger 2007-10-11 04:18 --------- d-----w C:\Program Files\iTunes 2007-10-11 04:05 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2007-10-09 22:47 --------- d-----w C:\Program Files\SearchRelevant 2007-10-08 09:05 --------- d-----w C:\Program Files\Java 2007-10-03 01:11 --------- d-----w C:\Program Files\DivX 2007-10-03 01:06 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-02 08:41 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\.Torrent Swapper 2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-09-06 09:01 --------- d-----w C:\Program Files\Realtek 2007-09-06 09:01 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\InstallShield 2007-09-06 09:00 --------- d-----w C:\Program Files\BitZipper 2007-09-06 02:09 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7 2007-09-03 06:34 --------- d-----w C:\Program Files\Gpotato 2007-08-31 08:59 --------- d-----w C:\Program Files\Telstra 2007-08-31 08:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-08-29 06:05 --------- d-----w C:\Program Files\CEDP Stealer 2007-08-29 05:02 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2007-08-29 05:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-08-29 04:40 --------- d-----w C:\Program Files\Bazooka Scanner 2007-08-29 04:32 --------- d-----w C:\Program Files\iPod 2007-08-29 04:26 --------- d-----w C:\Program Files\Common Files\Apple 2007-08-29 04:26 --------- d-----w C:\Program Files\Apple Software Update 2007-08-29 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-08-28 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum 2007-08-28 08:27 --------- d-----w C:\Program Files\DIFX 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-18 01:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Canon 2007-08-17 07:56 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared 2007-08-17 07:56 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-08-17 07:56 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\ScanSoft 2007-08-17 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft 2007-08-17 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield 2007-08-17 07:55 --------- d-----w C:\Program Files\ScanSoft 2007-08-17 07:53 --------- d-----w C:\Program Files\ArcSoft 2007-08-17 07:52 --------- d-----w C:\Program Files\Canon 2007-08-17 07:51 --------- d--h--w C:\Program Files\CanonBJ 2007-08-17 07:51 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ 2007-07-30 09:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-30 09:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-30 09:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-30 09:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-30 09:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-30 09:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-30 09:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-30 09:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2006-07-18 04:53 90,224 ----a-w C:\Documents and Settings\HP_Owner\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}] 2005-11-03 21:46 50688 --a------ C:\WINDOWS\system32\navshext1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9E06A41-2A46-4653-9692-BE26EFE2A018}] C:\WINDOWS\lbbho.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 05:00] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 05:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 14:51] "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 02:21 C:\WINDOWS\ALCXMNTR.EXE] "HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:44] "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:38] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 20:34] "Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 10:34] "WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [2004-07-30 10:41] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 16:45] "PS2"="C:\WINDOWS\system32\ps2.exe" [] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 14:55] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-02-25 16:46] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 18:57 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 18:53 C:\WINDOWS\ALCWZRD.EXE] "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 22:32] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16] "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-11 14:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00] "msnmsgr"="C:\PROGRA~1\MSNMES~1\msnmsgr.exe" [2007-01-19 12:54] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-09-12 19:33] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 20:18:22] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 05:31:38] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-19 08:30:54] S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-09-03 11:54:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-10-17 05:40:24 C:\WINDOWS\Tasks\Symantec NetDetect.job" . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 16:46:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-17 16:47:26 . --- E O F --- and the HijackThis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:53:46 PM, on 17/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hphmon06.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\Program Files\InterVideo\Common\Bin\WinRemote.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MSNMES~1\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll O2 - BHO: C:\WINDOWS\lbbho.dll - {D9E06A41-2A46-4653-9692-BE26EFE2A018} - C:\WINDOWS\lbbho.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 13340 bytes I used a program called "Hijack This" that's correct right?

10-17-2007, 07:41 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help You did fine, azureus. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Close any open browsers. -------------------------------------------------------------------- Disable Spybot TeaTimer as it may interfere with the fix below: Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\system32\navshext1.dll O2 - BHO: C:\WINDOWS\lbbho.dll - {D9E06A41-2A46-4653-9692-BE26EFE2A018} - C:\WINDOWS\lbbho.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following File C:\WINDOWS\system32\navshext1.dll -------------------------------------------------------------------- Reboot your system. -------------------------------------------------------------------- Please run another online scan at Panda so we can see what remnants remain: Perform an online scan with Internet Explorer with Panda ActiveScan** Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: Panda results New HijackThis log I'd also like to review the c:\fixwareout\report.txt. Please include that report as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 07:21 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help Hi acareus, Download Blockrem from HERE Unzip it to its own folder on your desktop. ----------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Ebates_MoeMoneyMaker SearchRelevant Windows AdControl -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Folders C:\Program Files\Ebates_MoeMoneyMaker C:\Program Files\SearchRelevant c:\program files\Windows AdControl -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4) Code: REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6CB-189F-421A-88CD-07CFE51CFF10}] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this: Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- Open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it. Once it is running please follow the onscreen instructions. -------------------------------------------------------------------- Reboot your system into Normal Mode and run another online scan at Panda. Please post the Panda results and a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 08:22 PM	#10 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: Malware infection - HijackThis Log Help hi Ried, i've followed the instructions up to the point where you tell me to "Open the Blockrem folder on your desktop and double-click blockrem.bat" during safemode. when i run it and follow the instructions it says "The system cannot find the file specified" i will post the HijackThis log and Panda log as soon as the panda scan is finished which is about in 1 hour.

10-17-2007, 08:45 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help No worries, we'll pull it out ourselves. Please navigate to, and delete the following files: c:\windows\system32\ccapp.exe C:\WINDOWS\system32\ustart.exe __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 09:52 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help Hi, Almost there. Delete this folder: C:\Program Files\ 180Search -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Open notepad and copy/paste the entire text in the code box below: (don't forget to copy and paste REGEDIT4) Code: REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10}] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this: Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- If there aren't any more problems, please continue with these final notes: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 10:20 PM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: Malware infection - HijackThis Log Help Good work following the paths given. Those files didn't appear in your last Panda scan either, so it's safe to assume BlockChecker took care of them anyway. I did forget to instruct you to uninstall one of your AV programs. You currently have AVG free and Symantec installed and it's never a good idea to have more than 1 installed at a given time as they will conflict with one another and may cause system problems. Choose and run only 1, and uninstall the other via the Add or Remove programs panel. You're all set now. Take care, acareus __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 10:43 PM	#16 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: Malware infection - HijackThis Log Help okay thanks so much ! i've uninstalled symantec since my subscription has expired for a while. anyways, everything else is all set =]

10-17-2007, 10:50 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Re: [SOLVED] Malware infection - HijackThis Log Help Norton doesn't always uninstall cleanly--just to be certain the uninstall went as it should, if you don't min, please run another scan with HijackThis and post the log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-17-2007, 10:54 PM	#18 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: [SOLVED] Malware infection - HijackThis Log Help okay, here is the new hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:53:45 PM, on 18/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\SiteAdvisor\6172\SAService.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hphmon06.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\Program Files\InterVideo\Common\Bin\WinRemote.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\MSNMES~1\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C8A1C72-475B-4805-8D3D-33AA3655D228}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6A052C-7CC3-4ECF-B713-BAA59A85CDB8}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{711F03FC-DD7F-4D96-A7EE-8A4F2020D8A9}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D80698-AD60-464C-A53E-8E2AAB909D51}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\..\{0829F78C-862D-4800-B662-5EB5D78AFA2E}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 12220 bytes

10-17-2007, 11:46 PM	#20 (permalink)
acareus Registered User Join Date: Sep 2007 Location: Australia Posts: 19 OS: Windows XP	Re: [SOLVED] Malware infection - HijackThis Log Help all done =]