Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyaxe/spytrooper Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 redsox34

redsox34

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 29 December 2005 - 12:06 PM

I've followed your preparation guide for posting a hijack this log. The problems I'm experiencing, started with my Internet Explorer home page being changed to systemwarning.com and then my Internet Explorer settings being changed so that the security level is at the lowest. Also I have to type in a webpage several times for it to change away from the homepage. It also seems that my Windows Update/Security has been hijacked too. Several times when I tried to go to a different webpage, the warning bar at the top of the screen popped and said I was infected with spyware and I should install Spytrooper. On my desk top there is pop up coming from the windows update icon on the task bar. It says my computer infected and I most download an antimalware program. When I click on it takes me to the spyaxe website. Somehow Spyaxe has download on my computer too. Microsoft Antispyware continually detects Spyaxe and deletes it but once I start up it comes back again. Some of the other programs you have suggested also detected it, but its still not removed. Finally I'm getting an application error message everytime i restart now (hpqthbo8.exe application error, appl. failed to initialize properly (0xc0000135)). Hopefully this explanation is helpful, here is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:59:56 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenAFS\Client\Program\afscreds.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp8382.tmp
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...cfm?Release=rel
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: AfsLogon - C:\WINDOWS\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CYGWIN cygserver (cygserver) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Applications\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - Unknown owner - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:09:56 PM

Posted 02 January 2006 - 03:53 PM

:thumbsup: Welcome to Bleeping Computer, redsox34.
After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.) Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

2.) Place a shortcut to Panda ActiveScan on your desktop.

3.) Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

4.) If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

5.) Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
6.) Now scan with HJT and place a checkmark next to the following item and click FIX CHECKED:

O13 - WWW. Prefix: http://ehttp.cc/

Close HiJackThis.

7.) Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

8.) Open Ad-aware and do a full scan. Remove all it finds.

9.) Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

10.) Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

11.) Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Thanks,
JC

#3 redsox34

redsox34
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 03 January 2006 - 11:07 AM

Thanks for answering my post! I had already run smitrem folder and it seemed to have removed spyaxe. So I ran everything again along with the new tools you listed. When I ran the Panda Active Scan no viruses/malware/anything was found. Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:03 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenAFS\Client\Program\afscreds.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...cfm?Release=rel
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: AfsLogon - C:\WINDOWS\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CYGWIN cygserver (cygserver) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Applications\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - Unknown owner - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here's the smitfiles.txt

smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 01/02/2006
The current time is: 16:36:19.57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

And the Ewido Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:55:58 PM, 1/2/2006
+ Report-Checksum: A9821C84

+ Scan result:

:mozilla.68:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Ignored
:mozilla.81:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.82:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.94:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.95:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.96:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistantUtility -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.10:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.16:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.38:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.58:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.61:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.62:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.72:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.77:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.80:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.83:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.84:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.85:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.87:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.89:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.90:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.91:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.92:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.97:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.98:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.99:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.101:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.102:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.104:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.105:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.106:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.107:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.110:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.128:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.129:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.139:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.143:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.144:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.145:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.148:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.150:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.163:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.164:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.165:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.166:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.167:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.178:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.180:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.182:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.186:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.190:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.191:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.192:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.193:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.194:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.201:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.202:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.203:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.204:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.205:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.206:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.207:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.208:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.209:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.210:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.211:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.214:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.230:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.231:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.232:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.237:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.238:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.239:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.240:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.241:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.242:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.243:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.259:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.260:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.261:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.266:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.267:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.270:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.271:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.278:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.289:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.290:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.304:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.305:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.306:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.307:C:\Documents and Settings\laprae\Application Data\Mozilla\Firefox\Profiles\hzchmaru.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0798A103-53B1-4792-BD84-F6B3E5\94EDB360-29B6-4E72-AA18-A0479E -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2A8CA014-905C-45E9-8A5F-A46773\FD163F33-6134-42B8-B8F1-EB6062 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5AD01113-248A-47CB-BF8D-B43B5C\ADFDCED0-9B06-408B-85EF-8376BE -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5E5DF5EA-D249-455D-8C29-12CBAB\3D64C69F-E09B-419B-8AA1-ED8866 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6D434366-6E9F-4C6B-B807-E50222\A3501C36-9B78-42AD-AC6A-08E5D8 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9A6056F7-51AE-42FB-BC72-9F5D0E\1144480B-A537-48E8-9D7B-DA48D9 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A3C73F7B-4485-4A25-A47F-982234\AB67C79B-C9DD-40CF-8318-F8BC0C -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BAAB61C4-7167-49AD-BD9C-A056DC\258C0AA3-5E16-40C9-9F48-EB8184 -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FB44FBD3-F0B1-4821-BD1B-AC974F\A52E5573-C6D1-4BCC-A620-1BAC37 -> Adware.Spyaxe : Cleaned with backup


::Report End

I'm still getting an hpqthb08.exe application error every time I start up the computer, everything else seems good though.

Thanks

#4 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:09:56 PM

Posted 03 January 2006 - 09:24 PM

redsox34: Your log looks better, there are a couple of entries we need to take care of.

The error message that you mention -hpqthb08.exe- appears to be related the HP Image Zone software. It doesn't appear to be malware related.

Here's the description from our startup programs database - Description: Improves the startup time of HP Image Zone. If you disable it, HP Image Zone takes a long time to start up only the first time you run it. Subsequent startups are much faster than the first time.More information can be found here.

Check to see if your Hewlett Packard scanner/camera (or other imaging device) is working properly. The error message may be a sign that the software is corrupt. If you are having problems with your HP device, you could try to re-install the software for this device. Let me know.

Let's get rid of the malware related entries.

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.) Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)


Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


2.) Download CCleaner and install it.

Start Ccleaner. Click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Reboot your computer.


3.) Spybot Full Scan
Please download Spybot-S&D from here:
http://www.majorgeeks.com/download.php?det=2471
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

Please reply to this post with a new HiJackThis log.
JC

#5 redsox34

redsox34
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 04 January 2006 - 04:40 PM

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:06 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\niSvcLoc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenAFS\Client\Program\afscreds.exe
C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawing...cfm?Release=rel
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: AfsLogon - C:\WINDOWS\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CYGWIN cygserver (cygserver) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Applications\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - Unknown owner - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks

#6 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:09:56 PM

Posted 04 January 2006 - 08:13 PM

redsox34: Are you still getting the error message? Did you try to re-install the software as I suggested?

Log looks clean...great job! :thumbsup:

Disable and Enable System Restore. - Since you are using Windows XP you should disable and enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to disable and enable system restore here:

Windows XP System Restore Guide

--------------------------------------------------------------
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend the following:

Detection and Removal Programs:

You already have 2 good Anti-spyware detection programs -SpyBot, and Ad-Aware. It is important that all of these programs are updated, and you run full system scans on a regular basis.

Please see the following tutorials below:

How to use Ad-Aware to remove Spyware
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers



Prevention Programs:

I recommend the following programs to help prevent an infection:

Spywareblaster - Helps prevent spyware from being installed.
Please see the following tutorial - Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware.

You have a Firewall installed. :flowers:

Other necessary Programs and steps:

Anti-virus program - It looks like you have an anti-virus program. It is important that this program is updated, and you run a full system scan on a regular basis.

More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and/or Opera.

Visit Microsoft's Windows Update Site Frequently - If you are a Windows users you must visit http://www.windowsupdate.com regularly. This site is a Microsoft site that will scan your computer for any patches or updates that are missing from your computer. It will then provide a list of items that it can download and install for you. This will ensure your computer has all of the latest security updates available installed on your computer and is secure from any known security holes.

Please read the following:Reply once more that you understand these recommendations, and confirm that there are no remaining issues.
JC

#7 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:09:56 PM

Posted 10 January 2006 - 03:31 PM

Since this issue appears to be resolved, this topic is now closed. redsox34, if your issues reappear, please contact staff to have this topic reopened. For any new issues please start another thread.

Anyone else with a similar problem, please start a topic of your own.
JC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users