Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried To Stop Zlob


  • This topic is locked This topic is locked
21 replies to this topic

#1 Margarete

Margarete

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 04 July 2006 - 07:25 PM

Hi, after being advised that my version of Hijackthis was out of date and also realizing a few new things, I requested to have my earlier post deleted and here is the new one:

I had stupidly clicked on an exe I shouldn't have (though I know better) and immediately realized it was a virus. Had the firewall stop all internet traffic. Had Spybot deny all requested registry changes and went to work deleting all files that were created at that moment. Ran Spybot S&D, ran Adaware, ran CCleaner

I had to work in Safe Mode to delete a couple of files. Then I ran AVG antivirus, which found a couple of additional files that I had missed including those in the system restore and deleted them all successfully. From the files that I deleted: regperf.exe, atmclk.exe, dcomcfg.exe (not to mention a host of temp files and d3d9caps.dat & hvcycg.dll) I gather this is Zlob related

Now technically since no internet traffic ever went out, the system should not have been compromised, but...

All obvious symptoms- Desktop links, blinking icon trays and fake warning messages - are gone. However the IE Explorer still tried to access the Internet once or twice (IE is blocked by my Firewall as default and I get warnings when it tries to do anything - I use Firefox). Never had Pop-ups because I stopped it from whatever it was trying to download.

I am afraid I did not get everything of if and am of course concerned about ominous backdoors. One of the odd things that happened is that the original malware file dissappeared once I clicked it, or at least changed its name, because I could no longer find it.

Here is my newest Hijackthis log with the new version:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:13 AM, on 7/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer Stuff\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;local.,;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dora Fairytale Adventures Registration.lnk = D:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: winuoj32 - winuoj32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you very much for your assistance

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 10 July 2006 - 11:24 AM

Hi there and welcome to Bleeping Computer !
As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!
We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!

Thanks very much :thumbsup:
David

#3 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 10 July 2006 - 02:03 PM

Hi D-Trojanator,

Thank you so much for responding. Yes, I still do need help. I know I got most of the Zlob Downloader and other stuff that I had, but I am concerned about any backdoors, keyloggers and stuff that might have been left behind. I have read so many scary stuff about Zlob.

Here a short recap:
Immediately realized virus activity after clicking on a file. Had firewall stop all internet traffic. Had Spybot deny all requested registry changes, then deleted all files that were created at that moment (some in safe mode). Ran Spybot S&D, ran Adaware, ran CCleaner

Then ran AVG antivirus, which found a couple of additional files that I had missed including those in the system restore and deleted them all successfully.

Among the files that I deleted were: regperf.exe, atmclk.exe, dcomcfg.exe, about 30 XXX.tmp and WinXX.tmp files, d3d9caps.dat, z1123OU.exe, Mshtml2.exe & hvcycg.dll

At this point I posted my HJT log,

Since then I have run
Housecall- found a few additional files related to Zlob downloader
Uninstalled "Yazzle by OIN" on my uninstall list (got a files not found, logically)
ran ewido - found a few additional files that I have since then deleted without problem
ran smithfraudfix - which found quite a few things

Currently no obvious symptoms- Desktop links, blinking icon trays and fake warning messages - Never had Pop-ups because I stopped it from whatever it was trying to download.

I notice that a lot of system memory is taken up, but I am not sure if this is related. Is there a way to check for not so obvious leftovers and malware activity?

Here my smithfraudfix log:

SmitFraudFix v2.68b

Scan done at 21:13:33.39, Thu 07/06/2006
Run from C:\Documents and Settings\Owner\Desktop\Smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7916f057-223f-4612-ac84-e882cbe043d4}"="bals"

[HKEY_CLASSES_ROOT\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32]
@="C:\WINDOWS\System32\hvcycg.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7916f057-223f-4612-ac84-e882cbe043d4}\InProcServer32]
@="C:\WINDOWS\System32\hvcycg.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\hvcycg.dll -> Missing File


Deleting infected files

C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Here the ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:41:47 PM 7/6/2006

+ Scan result:



C:\Computer Stuff\backups\backup-20060704-135431-665.dll -> Downloader.Zlob.wy : No action taken.
:mozilla.10:C:\Backup\Documents and Settings\Owner\Application
Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.10:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.15:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.16:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.17:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.17:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.18:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.18:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.19:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.19:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.20:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.20:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.21:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.55:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.71i : No action taken.
C:\Backup\Documents and Settings\Owner\Cookies\owner@ad.adition[2].txt -> TrackingCookie.Adition : No action taken.
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.77:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.78:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.78:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.79:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.79:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.80:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.80:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.81:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.81:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.82:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.82:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.83:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.83:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.84:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.84:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.85:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.85:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.86:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.86:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.87:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.87:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Advertising : No action taken.
:mozilla.88:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.110:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.113:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Atdmt : No action taken.
:mozilla.50:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Burstnet : No action taken.
:mozilla.51:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.51:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Burstnet : No action taken.
:mozilla.52:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.58:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Casalemedia : No action taken.
:mozilla.59:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.59:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Casalemedia : No action taken.
:mozilla.60:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.60:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Casalemedia : No action taken.
:mozilla.61:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.111:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.112:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.114:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Centrport : No action taken.
:mozilla.115:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Centrport : No action taken.
:mozilla.115:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.118:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Coremetrics : No action taken.
:mozilla.33:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Doubleclick : No action taken.
:mozilla.34:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Backup\Documents and Settings\Owner\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyuoajccqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.93:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Falkag : No action taken.
:mozilla.94:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.94:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Falkag : No action taken.
:mozilla.95:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.95:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Falkag : No action taken.
:mozilla.96:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.96:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Falkag : No action taken.
:mozilla.97:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.61:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Fastclick : No action taken.
:mozilla.62:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.62:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Fastclick : No action taken.
:mozilla.63:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.63:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Fastclick : No action taken.
:mozilla.64:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.103:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.105:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Googleadservices : No action taken.
:mozilla.26:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Googleadservices : No action taken.
:mozilla.28:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.23:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Ivwbox : No action taken.
:mozilla.25:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken.
C:\Backup\Documents and Settings\Owner\Cookies\owner@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
:mozilla.44:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Liveperson : No action taken.
:mozilla.45:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.45:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Liveperson : No action taken.
:mozilla.46:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.48:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Liveperson : No action taken.
:mozilla.49:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.49:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Liveperson : No action taken.
:mozilla.50:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.116:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.117:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.118:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.119:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Pointroll : No action taken.
:mozilla.120:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Pointroll : No action taken.
:mozilla.121:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Pointroll : No action taken.
:mozilla.36:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Popupsponsor : No action taken.
:mozilla.90:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.91:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.101:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.103:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Sitestat : No action taken.
:mozilla.108:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.40:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5knszh4j.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.41:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.88:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt.moztmp -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.89:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\47upokwo.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.51:C:\Backup\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\2nsd0gj1.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end

.... No idea where these cookies came from after CCcleaner and such

and finally here is the lates HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:58:16 PM, on 7/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\explorer.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Computer Stuff\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;local.,;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dora Fairytale Adventures Registration.lnk = D:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winuoj32 - winuoj32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 10 July 2006 - 02:10 PM

Well at the moment I see nothing of concern in the Hijackthis log.
It looks like you've done all the right things:

o Ewido,
o Smitfraudfix
o Full AVG scan

Also, Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

The infections that you had bring a lot of unwanted malware files with it. I want to run the following scanner to see if we can find if there were any leftovers:

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#5 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 10 July 2006 - 02:40 PM

Thanks David,

That is strange about my WinXP. I was certain I had SP1. What might have happend is that I forgot to update again after I had to replace my harddrive after it died.

I tried to do it right now, but ran into the WGA problem. Do I really have to download this terrible program???

Going to do Combofix right now and report back.

Edited by Margarete, 10 July 2006 - 02:41 PM.


#6 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 10 July 2006 - 02:53 PM

Hi again,

Combofix came back clean:

Start Time= Mon 07/10/2006 21:41:37.44
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-08 07:22:02 ( .D... ) "C:\Program Files\Active Ports"
2006-07-06 21:54:50 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-04 12:11:42 ( .D... ) "C:\Documents and Settings\Owner\Application Data\AVG7"
2006-07-04 12:11:02 ( .D... ) "C:\Program Files\Grisoft"
2006-06-29 20:41:08 ( .D... ) "C:\Program Files\CCleaner"
2006-06-25 17:28:46 ( .D... ) "C:\Program Files\XviD"
2006-06-25 15:20:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Vso"
2006-06-22 03:29:44 ( .D... ) "C:\Program Files\BurnWorld"
2006-06-22 03:06:02 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Ulead Systems"
2006-06-22 03:04:04 ( .D... ) "C:\Program Files\Windows Media Components"
2006-06-20 13:01:16 ( .D... ) "C:\Program Files\SopCast"
2006-06-03 22:04:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\dvdcss"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-08 07:22 49,664 C:\WINDOWS\unvise32.exe
2006-07-07 00:50 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 00:50 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-06 21:46 519,622,656 C:\hiberfil.sys
2006-06-25 17:28 761,856 C:\WINDOWS\system32\xvidcore.dll
2006-06-25 17:28 180,224 C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EssSpkPhone"="essspk.exe"
"S3TRAY2"="S3tray2.exe"
"HP Display Settings"="C:\\Program Files\\Hewlett-Packard\\HP Display Settings\\hpdisply.exe /s"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"CP4HPOT"="C:\\PROGRA~1\\HPONE-~1\\OneTouch.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HP Presentation Ready"="C:\\Program Files\\Hewlett-Packard\\HP Presentation Ready\\PresRdy.exe -r"
"MoneyStartUp10.0"="\"c:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"WorksFUD"="c:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="c:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\INSTAN~1.EXE /h"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/10/2006 21:41:56.69
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

Thanks!

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 10 July 2006 - 03:21 PM

Hey there Margarete,

I've just spent the past 15 minutes reading up on all the WGA hoo-ha.
I had originally read a thread about it on BC, but forgot to go into detail on it.
I found loads of cool snippets of infomation on the "infection" and I must admit it sounds pretty dodgy doesn't it!
I want you to try this for me...

1. Open Internet Explorer
2. Go to the Tools menu and choose Internet Options.
3. Click on the Programs tab and then click on the Manage Add-ons button.
4. Scroll to near the bottom and click on Windows Genuine Advantage, then choose Disable below, click OK and OK again.
5. Close all Internet Explorer windows and reload it.

Windows Update should now work fine! Try it again and let me know how it goes.

Also, the combofix log wasn't clean :thumbsup:
I want you to search and delete this file:

C:\WINDOWS\unvise32.exe

Let me know how it goes,
David

#8 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 10 July 2006 - 03:43 PM

Hi David,

Well, that's why you are the expert :thumbsup:

File deleted without problem. Interesting thing about it was the dates. It had a date of 1999 (before I got this computer) and then in the properties it had a creation date of July8 2006. My infection happend on June 29.... go figure.

Unfortunately my version of IE explorer must be out of date. I have 6.0 SP1. Because I don't have an option "manage add ons" under the programs tab. I don't use IEexplorer any more except when I have to...

Please let me know how to proceed.

Thanks for all your help

#9 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 10 July 2006 - 06:04 PM

Eureka, I did manage to install SP1 using Firefox. Somehow that worked around the WGA... PS: I am running a legal Win XP home edition

Edited by Margarete, 11 July 2006 - 03:38 AM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 11 July 2006 - 11:22 AM

Hey Margarete,

File deleted without problem. Interesting thing about it was the dates. It had a date of 1999 (before I got this computer) and then in the properties it had a creation date of July8 2006. My infection happend on June 29.... go figure.

I'm not really too sure here - I suspect that this file came in before you got infected - it is common that even when you surf the web with inadequate protection that you get infected without knowledge.. On the other hand the malware is just tricking you and in reality it did enter your computer when you got infected, however it has messed around with creation/modified dates.

I did manage to install SP1 using Firefox. Somehow that worked around the WGA.

Well I'm glad that you were able to update tto SP1, it's very important. I looked at my version of internet explorer and it is SP2, but I didn't realise that SP1 didn't have this feature so sorry for making you run around on a goose chase for a while there.

I am running a legal Win XP home edition

Thanks for letting me know this, it is common that users who have not updated have illegal versions of windows.
So please post back with a new Hijackthis log, and let me know how the computer is running.
David

#11 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 11 July 2006 - 01:37 PM

Hi David,

To tell you the truth, the computer seems to run a lot slower than before. Wonder if that is SP1 and all the updates I downloaded or maybe its all the scanners in the background....

Here is my very latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:47 PM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer Stuff\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;local.,;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dora Fairytale Adventures Registration.lnk = D:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winuoj32 - winuoj32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Is there anywhere else we should check for left overs?

Thanks
Ariane

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 11 July 2006 - 04:36 PM

Hey Margarete,

Fix this entry with Hijackthis:
O20 - Winlogon Notify: winuoj32 - winuoj32.dll (file missing)

I would imagine that the slow downs are caused by updating to SP1 - wait until you get SP2! On a serious note you've got to think of it as a compromise - you will have much better security and safety for your computer in place of a small bit of speed. I want you to defragment your hard-drive...when was the last time you did this?
1. Open My Computer.
2. Right-click the local disk volume that you want to defragment, and then click Properties.
3. On the Tools tab, click Defragment Now.
4. Click Defragment.
5. This process takes quite a long time, so be patient.

I suppose you could stop some uneccessary programs when your computer boots - for example you have things like Quicktime, MSnN messenger etc loading at boot which most certainly slows down your computer. If you give me the go ahead I can try and cut down that list to the bare minimum and then you can see if there is any improvement....

David

#13 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 11 July 2006 - 05:13 PM

Hi David,


I am planning to remove a whole lot of programs from startup (AOL, Quicktime, Gamma loader, Bonjour ect.). While I was waiting for a reply I did some research with "Autoruns" and your Startup List. I just wanted to wait doing this until I've finished with my Zlob ect. stuff.

I will fix the HJT entry, but I have two more genereal questions:

I have read all this scary stuff that with Zlob downloader your system is compromised no matter how much you clean it and that you have to reformat. What are your thoughts on that (especially since I stopped it from completely doing what it wanted to do). Is there a way to find hidden activity if it was still going on?

Regarding SP2 I read all this stuff about it crashing computers. I have an older (2002) HP laptop and I read especially that it causes problems with those. Do you think my computer is clean enough to give it a try?

I will definitely defragment... it"s been a while...

Thanks David

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:51 PM

Posted 12 July 2006 - 03:36 PM

Hey Margarete,

- I would recommend that you definitely take a look at your startup list and in conjunction with the startup list that BC has, you can cut down the programs that are loading when you startup. I would recommend that you consider cutting to the bare minimum, keeping essentials such as your anti-virus processes and programs for your modem etc. You can find a link to the startup list database here:
http://www.bleepingcomputer.com/startups/

- I think that perhaps reading into the matter hasn't done you any good at all - perhaps you are slightly paranoid. I took a look at the top results on google for Zlob, and found some evil information about what it can do to your computer. I would be very wary of listening to that information - normally the vendor is using false positives as a goad to purchasing an antispyware program for example. Believe you me, a free removal tool and a general scanner such as Ewido will remove Zlob and it's bundled software.

- If you like, I can scan for some rootkits and other hidden processes with you, but I can almost guarantee that you are going to be clean - it is very rare that will these routine infections that hidden processes are installed along side. However, if you want peace of mind just let me know and I can give you instructions to a very reputable scanner.

- Regarding SP2, I would leave off for a few weeks at least to be totally honest with you - it's a pretty big jump from no service packs to pack 2 in the same week.. In time I would recommend that you update to SP2 to reap the security benefits though, and in relation to whether your computer is clean enough, I would most certainly say yes - I reckon you are completely clean. Perhaps the older computer will be slightly clobbered by SP2, but I have no idea whether this will occur, without knowing the system's state and it's system specs...

Hope this helps, and if you have any more questions just ask....
Let me know when you want the "all clean" spiel.
David

#15 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 12 July 2006 - 10:38 PM

Hi David,

Thanks for all your help. I think I originally went to some German sites and they all recommended a clean install because the computer would be compromised... maybe they are indeed a bit paranoid and made me so.

Maybe I'd like to scan for hidden processes just out of curiosity and learning more.

Otherwise you can give me your all clean spiel. I don't want to keep you from helping others who are still in dire straits.

Cheers and Thanks
Ariane




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users