Warning Virus Background Appears

teenzbutler · 05-09-2008, 11:31 AM

Anytime I rebooted my computer, my background graphic changed with "Warning, your computer may be infected with a virus...." Then little bugs would crawl all over my desktop and start eating the icons. I followed all the instructions for removal. This is what I done so far:

1. I have Norton 360. I did a full system scan and removed anything it found
2. Downloaded and ran Super Antispyware (please see log below)
3. Downloaded and ran SS&D and removed anything it found
4. Downloaded and ran Adware 2007 and removed anything it found
5. Downloaded and ran Hijackthis (please see log below)

It appeared these tools resolved the issue. However, I would feel more confident if someone can review the Hijackthis log and let me know if there is anything hidden.
=================================
SUPERAntiSpyware Scan Log
Generated 05/08/2008 at 05:16 PM

Application Version : 4.0.1154

Core Rules Database Version : 3455
Trace Rules Database Version: 1447

Scan type : Complete Scan
Total Scan Time : 00:24:18

Memory items scanned : 657
Memory threats detected : 1
Registry items scanned : 6480
Registry threats detected : 33
File items scanned : 22707
File threats detected : 233

Trojan.Unclassified/CTFMONA
C:\WINDOWS\SYSTEM32\CTFMONA.EXE
C:\WINDOWS\SYSTEM32\CTFMONA.EXE
C:\WINDOWS\Prefetch\CTFMONA.EXE-0F567013.pf

Adware.Tracking Cookie
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@webpower[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.m4internet[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@eyewonder[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediaonenetwork[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@apmebf[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@superstats[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@shopping.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@uclick[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[7].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adultadworld[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@pro-market[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@media6degrees[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.pointroll[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-shoes.hitbox[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@stats.chooseyouritem[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.revsci[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@stat.dealtime[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@doubleclick[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@traffic[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@cbs.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.bridgetrack[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@anad.tacoda[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adecn[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@casalemedia[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@qnsr[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bravenet[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@statcounter[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@kelleybluebook.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@clickbank[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediamax[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@phg.hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.techguy[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.burstnet[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adrevolver[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediaplex[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@linksynergy[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@indexstats[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6whkicjdjkdq.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@atwola[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adinterax[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@imrworldwide[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyqmdjafp.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@azjmp[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@counter16.sextracker[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@kontera[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@webstat[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@atdmt[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@serving-sys[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@247realmedia[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@media.cardomain[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@specificclick[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ad1.clickhype[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@fastclick[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.burstbeacon[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adbrite[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@questionmarket[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@overture[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-j2.hitbox[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@counter7.sextracker[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@trafficregenerator[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@luggagepointcom.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@advertising[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.traffic[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoqicjaco.stats.esomniture[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.addesktop[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bizrate[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@4.adbrite[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@pornotube[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@equs.liveperson[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-traderelectronicmedia.hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-equifax.hitbox[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@revsci[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bs.serving-sys[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bfast[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@burstnet[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[4].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@collective-media[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@wolverineworldwide.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkykicpkfq.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-cardomain.hitbox[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adserver.adtechus[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@zedo[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@nextag[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@dealtime[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@perf.overture[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adlegend[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjlialcjilo.stats.esomniture[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@partner2profit[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adtech[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@2o7[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@imageads2.googleadservices[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bluestreak[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@insightexpressai[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wfkiolc5ohq.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tribalfusion[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@sextracker[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tacoda[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyqodjcgp.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@marketlive.122.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@jewelrytelevision.112.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyekc5ogo.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@web4.realtracker[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@yadro[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@anat.tacoda[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@yieldmanager[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[6].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoahdzklq.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tremor.adbureau[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@feed.validclick[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ad.us-ec.adtechus[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@realmedia[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.cnn[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-bmwna.hitbox[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.addfreestats[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@precisionclick[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@interclick[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.mediamax[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@homesteadtechnologies.122.2o7[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@trafficmp[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjl4spajsao.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@click.cybertvpartner[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@equifax.adbureau[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[5].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ar.atwola[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoohcjkeo.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@data.coremetrics[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wfk4qgdpmkp.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adserver.mediarun[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@rotator.adjuggler[1].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnywnc5ico.stats.esomniture[2].txt
C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@advertising[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adopt.euroclick[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@doubleclick[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wjkyqocpsao.stats.esomniture[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@bs.serving-sys[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@richmedia.yahoo[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@imrworldwide[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@indextools[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wjnyaicjieq.stats.esomniture[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@media.adrevolver[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@pro-market[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@vhost.oddcast[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@collective-media[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@counter.hitslink[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@insightfirst[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@zedo[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@perf.overture[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@trafficmp[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@4.adbrite[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@serving-sys[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@dominionenterprises.112.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@questionmarket[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@anad.tacoda[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@cvs.pnimedia[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ad.yieldmanager[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@tacoda[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adbrite[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@bravenet[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@fastclick[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@edge.ru4[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@overture[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ads.traderonline[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-wastemanagement.hitbox[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@revsci[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sales.liveperson[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sales.liveperson[3].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ads.x10[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wflockajmcp.stats.esomniture[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@toseeka[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@mediaplex[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ehg-lowermybills.hitbox[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[4].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[3].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sportskids.112.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@server.iad.liveperson[3].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@atwola[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@apmebf[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@data.coremetrics[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@bizrate[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@tribalfusion[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@mattressusa.122.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@server.iad.liveperson[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@statcounter[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ehg-melbourneit.hitbox[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@warnerbros.112.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@partner2profit[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@msnportal.112.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adrevolver[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@test.coremetrics[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wgkoujc5mgq.stats.esomniture[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-lifetimeentertainment.hitbox[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adecn[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@atdmt[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@2o7[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@easy-hit-counters[1].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@insightexpressai[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@hitbox[2].txt
C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@insightexpress[2].txt

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{EF86873F-04C2-4A95-A373-5703C08EFC7B}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [ ]
HKU\S-1-5-21-453202408-401739415-653543666-1008\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Adware.Avenue Media/Internet Optimizer
C:\Program Files\Internet Optimizer
HKU\S-1-5-21-453202408-401739415-653543666-1008\Software\Microsoft\Internet Explorer\URLSearchHooks#_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Adware.ClearSearch
C:\Program Files\ClearSearch

Rogue.WinIFixer
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Register.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\WinIFixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer
C:\Program Files\WinIFixer\database.dat
C:\Program Files\WinIFixer\license.txt
C:\Program Files\WinIFixer\MFC71.dll
C:\Program Files\WinIFixer\MFC71ENU.DLL
C:\Program Files\WinIFixer\msvcp71.dll
C:\Program Files\WinIFixer\msvcr71.dll
C:\Program Files\WinIFixer\Uninstall.exe
C:\Program Files\WinIFixer\WinIFixer.exe.local
C:\Program Files\WinIFixer\WinIFixerSkin.dll
C:\Program Files\WinIFixer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinIFixer [ C:\Program Files\WinIFixer\WinIFixer.exe ]
HKLM\Software\winifixer.com
HKLM\Software\winifixer.com\WinIFixer
HKLM\Software\winifixer.com\WinIFixer#RegistrationUrl
HKLM\Software\winifixer.com\WinIFixer#RegistrationDiscUrl
HKLM\Software\winifixer.com\WinIFixer#ADVid
HKLM\Software\winifixer.com\WinIFixer#InstallDir
HKLM\Software\winifixer.com\WinIFixer#domain
HKLM\Software\winifixer.com\WinIFixer#SoftID
HKLM\Software\winifixer.com\WinIFixer#DatabaseVersion
HKLM\Software\winifixer.com\WinIFixer#ProgramVersion
HKLM\Software\winifixer.com\WinIFixer#EngineVersion
HKLM\Software\winifixer.com\WinIFixer#GuiVersion
HKLM\Software\winifixer.com\WinIFixer#ProxyName
HKLM\Software\winifixer.com\WinIFixer#ProxyPort
HKLM\Software\winifixer.com\WinIFixer#ScanPriority
HKLM\Software\winifixer.com\WinIFixer#DaysInterval
HKLM\Software\winifixer.com\WinIFixer#ScanDepth
HKLM\Software\winifixer.com\WinIFixer#ScanSystemOnStartup
HKLM\Software\winifixer.com\WinIFixer#AutomaticallyUpdates
HKLM\Software\winifixer.com\WinIFixer#MinimizeOnStart
HKLM\Software\winifixer.com\WinIFixer#BackgroundScan
HKLM\Software\winifixer.com\WinIFixer#BackgroundScanTimeout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer#UninstallString
C:\Documents and Settings\All Users\Desktop\WinIFixer.lnk

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\CTFMONB.BMP
=================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:55 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-18 Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Default user')
O4 - .DEFAULT Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Default user')
O4 - .DEFAULT Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 14327 bytes

**amateur** · 05-13-2008, 07:28 PM

Hello and welcome to TSF.

Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it’s taking us longer to catch up. If you haven’t received help elsewhere already and still require assistance please follow the instructions below:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

teenzbutler · 05-14-2008, 09:47 AM

Thanks for getting back to me. I realize you guys are very busy. We just appreciate all your help. This computer has two users. While logged on as one user, I went through the cleanup and everything appears to be OK. Then, when I log on as the second user, the issue reappeared. So I believe I need to go through the same process on both logons. Would you mind if I post the Hijackthis log for the other account after we are done with this one? In any case, here is the MBAM log:

Malwarebytes' Anti-Malware 1.12
Database version: 746

Scan type: Quick Scan
Objects scanned: 41168
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

I also found "ctfmona.exe" which was in the MSCONFIG Startup. I unchecked that from the startup as well. Let me know your thoughts.

**amateur** · 05-14-2008, 09:54 AM

Quote:

Would you mind if I post the Hijackthis log for the other account after we are done with this one?

Not at all. Just give it a different name like "computer #2" so that it will not get confusing. I would like to have the HijackThis log from both computers as well.

teenzbutler · 05-14-2008, 09:56 AM

Sorry. I forgot to post the newest HijackThis log. Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:34 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [RecordNow!] (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gerry Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Gerry Pindler')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 14321 bytes

teenzbutler · 05-14-2008, 10:17 AM

Here is the HijackThis Log for computer #2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:08 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?page=1&refresh=4
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [RecordNow!] (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'Curt Pindler')
O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Curt Pindler')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: PowerReg Scheduler V3.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Curt Pindler')
O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: PowerReg Scheduler V3.exe (User 'Curt Pindler')
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 14693 bytes

**amateur** · 05-14-2008, 10:52 AM

Hi,

The logs are identical. The following procedure should work for both but I'll have a look at both HijackThis log afterwards to make sure.

Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK.

** These files are hidden to stop you or anybody else accidentally removing something important.
It is advisable to hide them again after you're done. **

==============================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\ctfmona.exe
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)

Close all other windows/browsers/applications, except HijackThis and click on Fix checked.

=====================================

Restart your computer.

=====================================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

======================================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop in txt format.

Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

=================================

Please post back the Kaspersky report and a fresh HijackThis log from each account.

teenzbutler · 05-14-2008, 11:35 AM

Although I seleted to Show all Hidden files, I could not find the C:\WINDOWS\system32\ctfmona.exe. I browsed to the location and I found C:\WINDOWS\system32\ctfmon.exe but no ctfmona.exe. I went into msconfig and I see C:\WINDOWS\system32\ctfmona.exe in the list, however, I unchecked it as to prevent it from loading on reboot. Should I be concerned? I am in the process of downloading the Kaspersky right now.

**amateur** · 05-14-2008, 12:00 PM

Recheck ctfmona.exe in MsConfig, and carry out my above instructions. Your next Hijackthis log should not report either the entry or the file.

teenzbutler · 05-14-2008, 12:19 PM

Will do. I will be posting back.

**amateur** · 05-14-2008, 01:05 PM

Just remembered that you have teatimer running. Sorry about that.

Please disable it before you start fixing with HijackThis. Otherwise, it'll put everything back.

While both Tea timer and SpyBot are closed
Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page when your computer is clean.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

==================

The logs are identical. The following procedure should work for both but I'll have a look at both HijackThis log afterwards to make sure.

Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK.

** These files are hidden to stop you or anybody else accidentally removing something important.
It is advisable to hide them again after you're done. **

==============================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\ctfmona.exe
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)

Close all other windows/browsers/applications, except HijackThis and click on Fix checked.

=====================================

Restart your computer.

=====================================

Continue with Kaspersky if you haven't done it yet. No problem if you did. Just post a fresh HijackThis log and the Kaspersky log.

teenzbutler · 05-14-2008, 02:00 PM

I rechecked the ctfmona.exe in MSCONFIG, then rebooted, then went back into HijackThis and enable Delete file on reboot, but the ctfmona.exe still does not appear in the Windows\System32 folder. I made sure the view all hidden files was enabled. Here is the Kaspersky and HijackThis log files for computer #1:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 14, 2008 12:57:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 690476
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 110639
Number of viruses found: 13
Number of infected objects: 97
Number of suspicious objects: 0
Duration of the scan process: 01:16:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\006967A2.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01C37B22.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02AF70C2.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02E3636A.tmp Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CD1E51.tmp/shower.scr Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CD1E51.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07CD1E51.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11541937.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\124070D0.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\125142BE.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\152F5D34.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15BE2EEC.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15D554D3.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1C875E11.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D4C1A8C.tmp/webcam.rtf.pif Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D4C1A8C.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D4C1A8C.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2113357E.tmp/nothing.com Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2113357E.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2113357E.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\225D746E.tmp/webcam.txt.com Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\225D746E.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\225D746E.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\268E1FE4.tmp/454543403.doc.exe Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\268E1FE4.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\268E1FE4.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27C90F5A.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\282C00E9.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28367EDF.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2B77358F.tmp/product.htm.exe Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2B77358F.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2B77358F.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\309C0C69.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31EB170D.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\32961DFB.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33751680.tmp Infected: Email-Worm.Win32.Bagle.ai skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\339A09C1.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33C91036.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\344B29D4.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\393B1EB4.tmp/stuff.doc.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\393B1EB4.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\393B1EB4.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\394979C2.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DF57020.tmp/friend_portmoney.doc.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DF57020.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DF57020.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A812AC5.IE5 Infected: Trojan-Downloader.Win32.Dyfuca.bw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A8454C2.exe Infected: Trojan-Downloader.Win32.IstBar.eh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A8454C2.IE5 Infected: Trojan-Downloader.Win32.Dyfuca.cj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A877EBE.exe Infected: Trojan-Downloader.Win32.Dyfuca.bq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A877EBE.txt Infected: Trojan-Downloader.Win32.Dyfuca.bx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4BF420F5.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\513B31FB.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\514E2DE6.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A657606.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C1858F1.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A168D3.tmp/webcam.txt.pif Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A168D3.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A168D3.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A36891.tmp/stream/data0005 Infected: Backdoor.Win32.Ruledor.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A36891.tmp/stream Infected: Backdoor.Win32.Ruledor.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A36891.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\61A36891.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67130C58.exe Infected: Trojan-Downloader.Win32.Dyfuca.bq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699B040C.tmp/image.htm.com Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699B040C.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699B040C.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB879A4.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AC2779A.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D78000F.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D852800.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D9C4DE7.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70F82BEF.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71505CD8.tmp/doc.pif Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71505CD8.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71505CD8.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73522EAC.tmp Infected: Email-Worm.Win32.Bagle.ba skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73BF6E9B.tmp/warez.doc.com Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73BF6E9B.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\73BF6E9B.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\756E5887.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77D65E33.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79B03A59.tmp Infected: Email-Worm.Win32.Bagle.ai skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79CD3439.tmp Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79D7322E.tmp Infected: Email-Worm.Win32.Bagle.ai skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E13023.tmp/privacy_privacy.htm.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E13023.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E13023.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79EE5815.tmp Infected: Email-Worm.Win32.NetSky.ac skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AE71625.tmp/note_class_photos.com Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AE71625.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AE71625.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C33125D.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C910DB8.tmp/privacy.htm.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C910DB8.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C910DB8.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D1F4437.tmp Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\AA7993B8.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Curt Pindler\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Temp\hsperfdata_Curt Pindler\252 Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Curt Pindler\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Curt Pindler\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\L0000006.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Curt Pindler\Data\storydb.idx Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\MP3 Rocket\log.txt Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{68A81444-B4CE-405F-A4C0-98725EF89137}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET937D.tmp Object is locked skipped
C:\WINDOWS\Temp\JET9419.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_614.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000004-10091102}.CDF Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

==================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:37 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 12460 bytes

**amateur** · 05-14-2008, 02:14 PM

Hi,

A few questions first:

Was the teatimer disabled when you fixed the entries with HijackThis, as per post # 11?

Did you restart the computer afterwards?

Is this HijackThis log taken after the Restart?

teenzbutler · 05-14-2008, 02:41 PM

I did not disable teatimer. I followed your instructions to disable, restarted the computer, and ran the teatimer.bat program. Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:19 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 12978 bytes

**amateur** · 05-14-2008, 03:03 PM

Hi,

Go to Start > Run and copy/paste the following, then press Enter:

cmd /c del /a /f /q "C:\WINDOWS\system32\ctfmona.exe"

============================

Scan with HijackThis and check this entry:

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

Close all other windows/browsers/applications, except HijackThis and click on Fix checked.

=====================================

Restart your computer.

===================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

===================================

Post a fresh HijackThis log along with the main.txt and extra.txt

teenzbutler · 05-14-2008, 03:23 PM

Deckard's System Scanner v20071014.68
Run by Curt Pindler on 2008-05-14 14:17:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-05-14 21:17:24 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Curt Pindler.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:57 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Documents and Settings\Curt Pindler\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Curt Pindler.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12688 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080514-100811-249 O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
backup-20080514-100811-424 O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
backup-20080514-100811-896 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080514-100812-947 O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing)
backup-20080514-141035-856 O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 BCM42RLY - c:\windows\system32\bcm42rly.sys (file missing)
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)
S3 sysrest.sys - c:\windows\system32\sysrest.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-15 10:19:44 816 --a------ C:\WINDOWS\Tasks\Backup.job

-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 10:16:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 10:16:45 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-14 08:48:09 0 d-------- C:\Documents and Settings\Gerry Pindler\Application Data\Malwarebytes
2008-05-14 08:30:59 0 d-------- C:\Documents and Settings\Curt Pindler\Application Data\Malwarebytes
2008-05-14 08:30:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-14 08:30:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 16:56:32 0 d-------- C:\WINDOWS\pss
2008-05-13 15:36:49 0 dr-h----- C:\Documents and Settings\Gerry Pindler\Recent
2008-05-12 10:35:24 0 d-------- C:\Documents and Settings\Gerry Pindler\Application Data\SUPERAntiSpyware.com
2008-05-08 17:08:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 17:04:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 16:49:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 16:49:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 16:49:41 0 d-------- C:\Documents and Settings\Curt Pindler\Application Data\SUPERAntiSpyware.com
2008-05-08 16:01:17 0 d-------- C:\Program Files\Trend Micro
2008-05-08 15:55:43 0 d-------- C:\Program Files\LogMeIn
2008-05-08 15:36:05 0 d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn

-- Find3M Report ---------------------------------------------------------------

2008-05-14 14:19:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-14 14:15:39 0 d-------- C:\Program Files\MP3Rocket
2008-05-14 14:12:29 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000A-00001102-00000004-10091102}.dat
2008-05-14 14:12:29 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000A-00001102-00000004-10091102}.dat
2008-05-14 10:24:40 0 d-------- C:\Program Files\Common Files
2008-05-14 10:23:26 0 d-------- C:\Program Files\Lavasoft
2008-04-22 18:03:46 0 d-------- C:\Program Files\Norton 360
2008-04-15 15:39:43 0 d-------- C:\Documents and Settings\Curt Pindler\Application Data\MP3Rocket

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
02/26/2008 05:33 PM 262144 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [02/26/2008 05:33 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/19/2003 03:56 AM]
"nwiz"="nwiz.exe" [08/19/2003 03:56 AM C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [05/28/2003 08:59 PM C:\WINDOWS\system32\cthelper.exe]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 05:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 08:07 AM]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [10/07/2002 08:23 AM]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [05/23/2003 03:55 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 10:42 PM]
"VTTimer"="VTTimer.exe" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [10/29/2002 10:18 AM]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [09/30/2002 02:00 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/25/2003 07:14 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/15/2004 10:12 AM C:\WINDOWS\KHALMNPR.Exe]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 01:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/08/2006 03:03 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/15/2006 03:55 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 02:01 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/24/2006 06:47 PM]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [07/14/2006 01:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 05:44 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [02/28/2008 03:31 PM]
"PCMService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [02/23/2007 06:36 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"CMSRegOW.exe"="C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r

C:\Documents and Settings\Curt Pindler\Start Menu\Programs\Startup\
MP3 Rocket (Minimized).lnk - C:\Program Files\MP3 Rocket\MP3Rocket.exe [1/14/2008 3:23:50 PM]
MP3Rocket (silent).lnk - C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe [12/21/2005 12:50:22 PM]
palmOne Registration.lnk - C:\Program Files\Palm\register.exe [3/8/2005 3:55:18 PM]
PowerReg Scheduler V3.exe [2/25/2004 4:42:47 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.2.lnk - C:\Program Files\eFax Messenger 4.2\J2GTray.exe [2/1/2007 3:36:12 PM]
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 3:16:08 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [7/7/2003 9:20:40 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2/23/2007 6:36:04 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [5/15/2006 12:19:32 PM]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [3/11/2004 5:22:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 04/30/2008 06:08 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-05-14 14:19:35 ------------
==============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:19 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12570 bytes

**amateur** · 05-14-2008, 03:36 PM

OK.... that seems to have gotten it.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

How is the computer running now?

teenzbutler · 05-14-2008, 04:48 PM

I have completed all your steps. Everything appears to be running smoothly. Thank you again for all your help!

**amateur** · 05-14-2008, 05:52 PM

Hi,

You are welcome, but there's just a little bit more to do.

You can go ahead and delete DSS.exe from your desktop and delete its folder from this location:

C:\Deckard

=============================

You can keep Malwarebytes Anti-Malware scanner and scan with it occasionally. You'll need to update it each time before scanning.

===============================

Remember to Hide your system files again.

Start>My Computer>Tools>Folder Options>View>

Under the Hidden files and folders heading uncheck Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

===============================

Empty the quarantine folder of Norton

Open Norton
click Reports
click View Quarantine
Highlight Quarantine items
click Action (at top of box)
Delete Make sure everything is deleted in Quarantine list
Close Norton.

===============================

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) Please do this ONLY ONCE, not on a regular basis.

1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

==========================================

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

ATF Cleaner by Atribune is a useful utility to clean the temporary files and cookies on a regular basis.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

teenzbutler · 05-15-2008, 02:37 PM

I double-checked everything and we are good to go! You can definitely close this cae.

05-09-2008, 11:31 AM	#1 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Warning Virus Background Appears Anytime I rebooted my computer, my background graphic changed with "Warning, your computer may be infected with a virus...." Then little bugs would crawl all over my desktop and start eating the icons. I followed all the instructions for removal. This is what I done so far: 1. I have Norton 360. I did a full system scan and removed anything it found 2. Downloaded and ran Super Antispyware (please see log below) 3. Downloaded and ran SS&D and removed anything it found 4. Downloaded and ran Adware 2007 and removed anything it found 5. Downloaded and ran Hijackthis (please see log below) It appeared these tools resolved the issue. However, I would feel more confident if someone can review the Hijackthis log and let me know if there is anything hidden. ================================= SUPERAntiSpyware Scan Log Generated 05/08/2008 at 05:16 PM Application Version : 4.0.1154 Core Rules Database Version : 3455 Trace Rules Database Version: 1447 Scan type : Complete Scan Total Scan Time : 00:24:18 Memory items scanned : 657 Memory threats detected : 1 Registry items scanned : 6480 Registry threats detected : 33 File items scanned : 22707 File threats detected : 233 Trojan.Unclassified/CTFMONA C:\WINDOWS\SYSTEM32\CTFMONA.EXE C:\WINDOWS\SYSTEM32\CTFMONA.EXE C:\WINDOWS\Prefetch\CTFMONA.EXE-0F567013.pf Adware.Tracking Cookie C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@webpower[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@usatoday1.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.m4internet[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@eyewonder[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediaonenetwork[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@apmebf[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@superstats[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@shopping.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@uclick[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[7].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adultadworld[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@pro-market[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@media6degrees[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.pointroll[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-shoes.hitbox[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@stats.chooseyouritem[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.revsci[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@stat.dealtime[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@doubleclick[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@traffic[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@cbs.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.bridgetrack[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@anad.tacoda[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adecn[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@casalemedia[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@qnsr[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bravenet[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@statcounter[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@kelleybluebook.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@clickbank[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediamax[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@phg.hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.techguy[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.burstnet[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adrevolver[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@mediaplex[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@linksynergy[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@indexstats[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6whkicjdjkdq.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@atwola[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adinterax[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@imrworldwide[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyqmdjafp.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@azjmp[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@counter16.sextracker[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@kontera[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@webstat[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@atdmt[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@serving-sys[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-dig.hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@247realmedia[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@media.cardomain[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@specificclick[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ad1.clickhype[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@fastclick[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.burstbeacon[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adbrite[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@questionmarket[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@overture[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-j2.hitbox[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@counter7.sextracker[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@trafficregenerator[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@luggagepointcom.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@advertising[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-traderpublishing.hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.traffic[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoqicjaco.stats.esomniture[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.addesktop[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bizrate[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@4.adbrite[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@pornotube[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@equs.liveperson[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-traderelectronicmedia.hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-equifax.hitbox[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@revsci[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bs.serving-sys[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bfast[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@burstnet[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[4].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@collective-media[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@classifiedventures1.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@wolverineworldwide.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkykicpkfq.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-cardomain.hitbox[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adserver.adtechus[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@zedo[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@nextag[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@dealtime[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@perf.overture[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adlegend[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjlialcjilo.stats.esomniture[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@partner2profit[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adtech[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@2o7[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@imageads2.googleadservices[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@bluestreak[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@insightexpressai[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wfkiolc5ohq.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tribalfusion[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@sextracker[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tacoda[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyqodjcgp.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@marketlive.122.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@jewelrytelevision.112.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnyekc5ogo.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@web4.realtracker[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@yadro[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@anat.tacoda[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@yieldmanager[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[6].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoahdzklq.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@tremor.adbureau[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@feed.validclick[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ad.us-ec.adtechus[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@realmedia[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ads.cnn[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ehg-bmwna.hitbox[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.addfreestats[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@precisionclick[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@interclick[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.mediamax[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@homesteadtechnologies.122.2o7[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@trafficmp[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjl4spajsao.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@click.cybertvpartner[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@equifax.adbureau[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[5].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@ar.atwola[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjkoohcjkeo.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@data.coremetrics[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wfk4qgdpmkp.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@adserver.mediarun[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@rotator.adjuggler[1].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@e-2dj6wjnywnc5ico.stats.esomniture[2].txt C:\Documents and Settings\Curt Pindler\Cookies\curt_pindler@www.googleadservices[3].txt C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@advertising[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adopt.euroclick[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@doubleclick[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wjkyqocpsao.stats.esomniture[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@bs.serving-sys[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@richmedia.yahoo[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@imrworldwide[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@indextools[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-traderpublishing.hitbox[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wjnyaicjieq.stats.esomniture[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@media.adrevolver[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@pro-market[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@vhost.oddcast[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@collective-media[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@counter.hitslink[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@insightfirst[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@zedo[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@perf.overture[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@trafficmp[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@4.adbrite[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@serving-sys[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@dominionenterprises.112.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@questionmarket[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@anad.tacoda[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@cvs.pnimedia[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ad.yieldmanager[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@tacoda[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adbrite[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@bravenet[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@fastclick[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@edge.ru4[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@overture[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ads.traderonline[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-wastemanagement.hitbox[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@revsci[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sales.liveperson[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sales.liveperson[3].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ads.x10[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wflockajmcp.stats.esomniture[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@toseeka[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@mediaplex[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ehg-lowermybills.hitbox[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[4].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@www.googleadservices[3].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@sportskids.112.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@server.iad.liveperson[3].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@atwola[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@apmebf[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@data.coremetrics[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@bizrate[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@tribalfusion[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@mattressusa.122.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@server.iad.liveperson[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-warnerbrothers.hitbox[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@statcounter[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@ehg-melbourneit.hitbox[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@warnerbros.112.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@partner2profit[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@msnportal.112.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adrevolver[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@cratebarrel.112.2o7[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@test.coremetrics[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@e-2dj6wgkoujc5mgq.stats.esomniture[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@ehg-lifetimeentertainment.hitbox[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@adecn[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@atdmt[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@2o7[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@easy-hit-counters[1].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@insightexpressai[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry_pindler@hitbox[2].txt C:\Documents and Settings\Gerry Pindler\Cookies\gerry pindler@insightexpress[2].txt Adware.IST/ISTBar (Slotch Bar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{EF86873F-04C2-4A95-A373-5703C08EFC7B} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [ ] HKU\S-1-5-21-453202408-401739415-653543666-1008\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ] Adware.Avenue Media/Internet Optimizer C:\Program Files\Internet Optimizer HKU\S-1-5-21-453202408-401739415-653543666-1008\Software\Microsoft\Internet Explorer\URLSearchHooks#_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Adware.ClearSearch C:\Program Files\ClearSearch Rogue.WinIFixer C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\License Agreement.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Register.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Uninstall.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\WinIFixer.lnk C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer C:\Program Files\WinIFixer\database.dat C:\Program Files\WinIFixer\license.txt C:\Program Files\WinIFixer\MFC71.dll C:\Program Files\WinIFixer\MFC71ENU.DLL C:\Program Files\WinIFixer\msvcp71.dll C:\Program Files\WinIFixer\msvcr71.dll C:\Program Files\WinIFixer\Uninstall.exe C:\Program Files\WinIFixer\WinIFixer.exe.local C:\Program Files\WinIFixer\WinIFixerSkin.dll C:\Program Files\WinIFixer HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinIFixer [ C:\Program Files\WinIFixer\WinIFixer.exe ] HKLM\Software\winifixer.com HKLM\Software\winifixer.com\WinIFixer HKLM\Software\winifixer.com\WinIFixer#RegistrationUrl HKLM\Software\winifixer.com\WinIFixer#RegistrationDiscUrl HKLM\Software\winifixer.com\WinIFixer#ADVid HKLM\Software\winifixer.com\WinIFixer#InstallDir HKLM\Software\winifixer.com\WinIFixer#domain HKLM\Software\winifixer.com\WinIFixer#SoftID HKLM\Software\winifixer.com\WinIFixer#DatabaseVersion HKLM\Software\winifixer.com\WinIFixer#ProgramVersion HKLM\Software\winifixer.com\WinIFixer#EngineVersion HKLM\Software\winifixer.com\WinIFixer#GuiVersion HKLM\Software\winifixer.com\WinIFixer#ProxyName HKLM\Software\winifixer.com\WinIFixer#ProxyPort HKLM\Software\winifixer.com\WinIFixer#ScanPriority HKLM\Software\winifixer.com\WinIFixer#DaysInterval HKLM\Software\winifixer.com\WinIFixer#ScanDepth HKLM\Software\winifixer.com\WinIFixer#ScanSystemOnStartup HKLM\Software\winifixer.com\WinIFixer#AutomaticallyUpdates HKLM\Software\winifixer.com\WinIFixer#MinimizeOnStart HKLM\Software\winifixer.com\WinIFixer#BackgroundScan HKLM\Software\winifixer.com\WinIFixer#BackgroundScanTimeout HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winifixer#UninstallString C:\Documents and Settings\All Users\Desktop\WinIFixer.lnk Trojan.Unknown Origin C:\WINDOWS\SYSTEM32\CTFMONB.BMP ================================= Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:18:55 AM, on 5/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\WinVNC\WinVNC.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\HP\KBD\KBD.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user') O4 - S-1-5-18 Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'SYSTEM') O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM') O4 - .DEFAULT Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Default user') O4 - .DEFAULT Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Default user') O4 - .DEFAULT Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Default user') O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user') O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe -- End of file - 14327 bytes

05-13-2008, 07:28 PM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Hello and welcome to TSF. Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it’s taking us longer to catch up. If you haven’t received help elsewhere already and still require assistance please follow the instructions below: Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 09:47 AM	#3 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears Thanks for getting back to me. I realize you guys are very busy. We just appreciate all your help. This computer has two users. While logged on as one user, I went through the cleanup and everything appears to be OK. Then, when I log on as the second user, the issue reappeared. So I believe I need to go through the same process on both logons. Would you mind if I post the Hijackthis log for the other account after we are done with this one? In any case, here is the MBAM log: Malwarebytes' Anti-Malware 1.12 Database version: 746 Scan type: Quick Scan Objects scanned: 41168 Time elapsed: 5 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\69.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully. I also found "ctfmona.exe" which was in the MSCONFIG Startup. I unchecked that from the startup as well. Let me know your thoughts.

05-14-2008, 09:56 AM	#5 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears Sorry. I forgot to post the newest HijackThis log. Here you go: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:52:34 AM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\system32\CTHELPER.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\RealVNC\WinVNC\WinVNC.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [RecordNow!] (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Gerry Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Gerry Pindler') O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user') O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe -- End of file - 14321 bytes

05-14-2008, 10:17 AM	#6 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears Here is the HijackThis Log for computer #2: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:11:08 AM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\WinVNC\WinVNC.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\HP\KBD\KBD.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/?page=1&refresh=4 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [RecordNow!] (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'Curt Pindler') O4 - HKUS\S-1-5-21-453202408-401739415-653543666-1008\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Curt Pindler') O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user') O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 Startup: PowerReg Scheduler V3.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe (User 'Curt Pindler') O4 - S-1-5-21-453202408-401739415-653543666-1008 User Startup: PowerReg Scheduler V3.exe (User 'Curt Pindler') O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe -- End of file - 14693 bytes

05-14-2008, 10:52 AM	#7 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Hi, The logs are identical. The following procedure should work for both but I'll have a look at both HijackThis log afterwards to make sure. Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK. These files are hidden to stop you or anybody else accidentally removing something important. It is advisable to hide them again after you're done. ============================== Now, run HijackThis. Close all windows and browsers except HijackThis. Go to Config > Misc tools Click on Delete a File On Reboot Click once on the file below to select it: C:\WINDOWS\system32\ctfmona.exe Click on the Back button to exit Process Manager Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing) Close all other windows/browsers/applications, except HijackThis and click on Fix checked. ===================================== Restart your computer. ===================================== Download ATF Cleaner by Atribune and save it to your Desktop. Double click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache The rest are optional - if you want to remove the lot, check "Select All". Finally click Empty Selected. When you get the "Done Cleaning" message, click OK. If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well. Firefox : Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Opera : Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. When you have finished, click on the Exit button in the Main menu. For Technical Support, double-click the e-mail address located at the bottom of each menu ====================================== Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one. Now run this online scan using Internet Explorer: Kaspersky Online Scanner from http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html Next Click on Launch Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop in txt format. Copy and paste that information from Kapersky in your next post. Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Or use Firefox* with IE-Tab plugin ================================= Please post back the Kaspersky report and a fresh HijackThis log from each account. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 11:35 AM	#8 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears Although I seleted to Show all Hidden files, I could not find the C:\WINDOWS\system32\ctfmona.exe. I browsed to the location and I found C:\WINDOWS\system32\ctfmon.exe but no ctfmona.exe. I went into msconfig and I see C:\WINDOWS\system32\ctfmona.exe in the list, however, I unchecked it as to prevent it from loading on reboot. Should I be concerned? I am in the process of downloading the Kaspersky right now.

05-14-2008, 12:00 PM	#9 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Recheck ctfmona.exe in MsConfig, and carry out my above instructions. Your next Hijackthis log should not report either the entry or the file. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 12:19 PM	#10 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears Will do. I will be posting back.

05-14-2008, 01:05 PM	#11 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Just remembered that you have teatimer running. Sorry about that. Please disable it before you start fixing with HijackThis. Otherwise, it'll put everything back. While both Tea timer and SpyBot are closed Right click here and click save link as Save it as resetteatimer.bat to your desktop 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts 5) Restart your computer. Double click on resetteatimer.bat and wait for it to finish Since it will not be needed again delete ResetTeaTimer.bat. Turn Tea timer back on again via SpyBots tools resident page when your computer is clean. Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. ================== The logs are identical. The following procedure should work for both but I'll have a look at both HijackThis log afterwards to make sure. Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK. These files are hidden to stop you or anybody else accidentally removing something important. It is advisable to hide them again after you're done. ============================== Now, run HijackThis. Close all windows and browsers except HijackThis. Go to Config > Misc tools Click on Delete a File On Reboot Click once on the file below to select it: C:\WINDOWS\system32\ctfmona.exe Click on the Back button to exit Process Manager Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O21 - SSODL: TxyyfdD - {BC87E186-162D-4B2C-11BE-0BECA7D9F395} - C:\WINDOWS\system32\bg.dll (file missing) Close all other windows/browsers/applications, except HijackThis and click on Fix checked. ===================================== Restart your computer. ===================================== Continue with Kaspersky if you haven't done it yet. No problem if you did. Just post a fresh HijackThis log and the Kaspersky log. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 05-14-2008 at 01:09 PM.

05-14-2008, 02:14 PM	#13 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Hi, A few questions first: Was the teatimer disabled when you fixed the entries with HijackThis, as per post # 11? Did you restart the computer afterwards? Is this HijackThis log taken after the Restart? __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 02:41 PM	#14 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears I did not disable teatimer. I followed your instructions to disable, restarted the computer, and ran the teatimer.bat program. Here is the new HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:39:19 PM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\WinVNC\WinVNC.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\CTHELPER.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\HP\KBD\KBD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\eFax Messenger 4.2\J2GTray.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [CMSRegOW.exe] "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user') O4 - Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe O4 - Startup: MP3Rocket (silent).lnk = C:\Program Files\MP3Rocket\MP3Rocket_on_startup.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_...ex/ieatgpc.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe -- End of file - 12978 bytes

05-14-2008, 03:03 PM	#15 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Hi, Go to Start > Run and copy/paste the following, then press Enter: cmd /c del /a /f /q "C:\WINDOWS\system32\ctfmona.exe" ============================ Scan with HijackThis and check this entry: O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe Close all other windows/browsers/applications, except HijackThis and click on Fix checked. ===================================== Restart your computer. =================================== Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. =================================== Post a fresh HijackThis log along with the main.txt and extra.txt __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 03:36 PM	#17 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears OK.... that seems to have gotten it. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. How is the computer running now? __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-14-2008, 04:48 PM	#18 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears I have completed all your steps. Everything appears to be running smoothly. Thank you again for all your help!

05-14-2008, 05:52 PM	#19 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,483 OS: XP SP3	Re: Warning Virus Background Appears Hi, You are welcome, but there's just a little bit more to do. You can go ahead and delete DSS.exe from your desktop and delete its folder from this location: C:\Deckard ============================= You can keep Malwarebytes Anti-Malware scanner and scan with it occasionally. You'll need to update it each time before scanning. =============================== Remember to Hide your system files again. Start>My Computer>Tools>Folder Options>View> Under the Hidden files and folders heading uncheck Show hidden files and folders. Check the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. =============================== Empty the quarantine folder of Norton Open Norton click Reports click View Quarantine Highlight Quarantine items click Action (at top of box) Delete Make sure everything is deleted in Quarantine list Close Norton. =============================== Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) Please do this ONLY ONCE, not on a regular basis. 1. Right-click My Computer, and then click Properties. 2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box. 3. Click OK, and then click Yes. 4. Restart the computer. 5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'. Reboot normally. ========================================== Here are some steps to make your surfing more secure in future: Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Avoid illegal sites, because that's where most malware is present. * Don't click on links inside popups. * Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware. * Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware. Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system. IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates. If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update. The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place: SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html SpywareGuard here If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system. A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here: http://forum.malwareremoval.com/viewtopic.php?p=56#56 http://www.bleepingcomputer.com/forums/tutorial60.html Test your firewall here to make sure that it's working properly ATF Cleaner by Atribune is a useful utility to clean the temporary files and cookies on a regular basis. But above all, keep all your software UP-TO-DATE at all time!! A colleague of ours has excellent information and tips on the prevention of malware *here* If you want to fight back the Malware Writers, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. Happy Surfing! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

05-15-2008, 02:37 PM	#20 (permalink)
teenzbutler Registered User Join Date: May 2008 Posts: 11 OS: Windows XP SP2	Re: Warning Virus Background Appears I double-checked everything and we are good to go! You can definitely close this cae.