Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vitumonde/popups/slow Response


  • This topic is locked This topic is locked
19 replies to this topic

#1 avalon

avalon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 25 July 2006 - 09:01 AM

While on the internet popups appear with titles like ErrorSafe and WinAntiVirus. The computer is running very slow and sometimes just freezes. I have run Spybot Search & Destroy, Ad Aware SE, AVG, Norton antivirus - all to no avail. They say the files are deleted but the popups dont go away. Noting's changed. Ad Aware SE says the infected registry keys are removed but if you run it again you will get the same message. I have copied it below:

VIRTUMONDE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{e291663a-2d6f-4b56-b9df-ae239aef6a5b}
obj[1]=RegValue : clsid\{e291663a-2d6f-4b56-b9df-ae239aef6a5b} "AppID"
obj[2]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e291663a-2d6f-4b56-b9df-ae239aef6a5b}

Need some help please.

Logfile of HijackThis v1.99.1
Scan saved at 11:55:30 PM, on 25/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\ddccc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 25 July 2006 - 11:29 PM

Hello avalon....welcome to Bleeping Computer!

Please do this:


Credit: Atribune

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Posted Image

#3 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 26 July 2006 - 09:04 AM

I dont know if this is the right way to post a new HiJack This log so I sure hope you get this message.
I fogot to mention that I had previously tried VundoFix and the other one that was something like VundoBeGone with no success - no infected files found.

I ran it twice tonight as my antivirus software AVG kicked in inbetween doing vundofix and I was not sure I had done all the steps. The second time I ran it, it said No infected files were found and I did not get the option to do 'Remove Vundo'.

Contents of c:\vundofix.txt below. It shows results of my very first attempt a few days ago too.

Thanks for your help.


VundoFix V5.1.2

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 9:14:24 PM 13/07/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 9:53:08 PM 26/07/2006

Listing files found while scanning....

C:\windows\system32\ddccc.dll
C:\windows\system32\cccdd.ini
C:\windows\system32\cccdd.bak2
C:\windows\system32\cccdd.ini2
C:\windows\system32\cccdd.tmp
C:\windows\system32\jkhfc.dll
C:\windows\system32\cfhkj.ini
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\ddccc.dll
C:\windows\system32\ddccc.dll Has been deleted!

Attempting to delete C:\windows\system32\cccdd.ini
C:\windows\system32\cccdd.ini Has been deleted!

Attempting to delete C:\windows\system32\cccdd.bak2
C:\windows\system32\cccdd.bak2 Has been deleted!

Attempting to delete C:\windows\system32\cccdd.ini2
C:\windows\system32\cccdd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\cccdd.tmp
C:\windows\system32\cccdd.tmp Has been deleted!

Attempting to delete C:\windows\system32\jkhfc.dll
C:\windows\system32\jkhfc.dll Has been deleted!

Attempting to delete C:\windows\system32\cfhkj.ini
C:\windows\system32\cfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.5

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 10:04:03 PM 26/07/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

#4 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 26 July 2006 - 09:43 AM

Hello avalon....one of the VundoFix logs got cut off in your reply, but it's not important since nothing was found in the second log. You are doing great!

Now, I need you to post another HJT log for me to look at after the VundoFix ....

Open HJT, and choose Do a Scan and Save a Logfile

then post the entire contents of the logfile here using 'add reply'...

Edited by Navigator, 26 July 2006 - 09:44 AM.

Posted Image

#5 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 26 July 2006 - 09:53 PM

Hi again. Thanks for the encouragement

I ran AVG after vundfix as it popped up and siad i needed to. It found Trojan horse Generic. YKM. Says it removed it but is has says this before but the problem has not gone away. I also ran Adware and the same three registry keys were picked up as in my original note.

One another point, I have to run HiJack This from going to Start, Run, C:\Program files \ HijackThis \ HijackThis.exe. Is this the correct way to do ti? If I click the HJT icon on the desktop all it does is give me the option to Run or cancel and if I run it gives the option for upzipping files and putting them in the directory above.

Here is the log and thanks for your help ....

Logfile of HijackThis v1.99.1
Scan saved at 12:53:18 PM, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 26 July 2006 - 10:23 PM

Hello avalon....

First, you should not have 2 AV programs installed and running on your computer....this will inevitably lead to system conflicts and may also lead to DECREASED security. You should choose ONE AV program you are going to go forward with, and uninstall the other...or at the very least, disable one of them from running and use it only as a second scanner.

The Virtumondo is gone from your HJT log; we'll try and take care of the registry entries adware finds in a moment, if Ewido doesn't do it for us. You are running HJT just fine!

Please do the following:

1. First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
Go here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install.

Once you have it installed, click Start>>Run, type in appwiz.cpl and hit Enter. From the list, uninstall Java j2re1.4.2_03 .

Post back with:
  • the results of the ewido report scan
  • a new HJT log

Posted Image

#7 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 July 2006 - 07:45 AM

Hi
Did not get very far with your last instructions. When I did step 3 "Start Update" there was the following error:

Error: failed to connect to server update.ewido.net

I tried steps 1 and 2 again but same error. at step 3. I know it was not the internet as I could access other sites. I dont know if this is a stupid question but does it make a difference if I am on a network. We have two computers and 2 printers on a wireless network and the one I am using is not the main one. I dont know if I am using the right words here but both computers are independent in that no info is shared between them except the access to the internet. The other computer has to be on for this one to access the internet but not vice versa.

Also, more strange stuff is happening. When I try to save a document in word I cant see my folders. If I go into explorer the folders are there. Also, when I first started up Word it asked me if I wanted to install word but I clicked cancel a few times and word opened up.

A particular folder cannot be seen even in explorer. It is the 'local settings' folder. I have 4 user accounts set up on this computer and for each one of them you cannot see the 'local settings' folder. However, when I do a scan with Adware it shows up as being scanned. So its there but I cannot see it.

Apologies for the long note! What next and thank you again!!

#8 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 28 July 2006 - 05:05 PM

Hi
Did not get very far with your last instructions. When I did step 3 "Start Update" there was the following error:

Error: failed to connect to server update.ewido.net

I tried steps 1 and 2 again but same error. at step 3. I know it was not the internet as I could access other sites. I dont know if this is a stupid question but does it make a difference if I am on a network. We have two computers and 2 printers on a wireless network and the one I am using is not the main one. I dont know if I am using the right words here but both computers are independent in that no info is shared between them except the access to the internet. The other computer has to be on for this one to access the internet but not vice versa.


The first thing to try is exiting and restarting Ewido...if that did not correct the problem, try to manually update Ewido by going here:

http://www.ewido.net/en/download/updates/

If that doesn't work check the following:

First, go here and see if you can access the update server: http://update.ewido.net/

I have seen threads at the Ewido forum with similiar complaints, so try updating it again today....

Other possible issues:
Do you have 'administrator' rights on the machine?
Do you use a Hosts file, and if you do is 'good' checked for Ewido entries?
Is Ewido allowed access from your firewall?

Check these things and get back to me...if you cannot update Ewido do the rest of the fix leaving out Ewido and we'll see what we need to do next!
Posted Image

#9 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 30 July 2006 - 08:18 AM

Hello again

No popups since we did vundo. I think its gone. Thanks,

Tried the manual update of ewido. It worked.

When I clicked Fix Checked I was asked 'Fix 2 selected?" I said yes. Hope that was okay.

In safe mode I realised there was a user account called administrator. In normal mode I use the account compag_owner which I assumed had adminstrator status. Dont know how to get to the 'administrator' account in normal mode.

Anyway, in safe mode, used the administrator account to scan but selecting the scan tab gave me a blank screen i.e. no scanning options. Switched to compag_owner (still in safe mode) and the scan tab gives all the scanning options! Was going to do the scan from compag_owner but then decided to switch back to administrator account (still in safe mode) and downloaded ewido again, selected 'update now' and it worked! So maybe compag_owner does not have administrator rights which is why it did not work.

Scanned using the administrator account. Back in normal mode when installing JRE and using compag_owner account. In control panel, user accounts, it say computer administrator for all the user accounts! Sorry to bother you with all this account info. I'm sure it is irrelevant.

Here is the ewido report scan followed by the HFT log. Explorer is still behaving strangely. Not what it used to be.

Thanks again for your help.

EWIDO report scan
============

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:36:59 PM 30/07/2006

+ Scan result:



C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc563.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Cookies\katie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\mark@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Local Settings\Temp\Cookies\mark@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1007\Dc242\Cookies\katie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc127.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc181.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc188.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc299.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc303.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc337.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc347.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc526.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc554.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc560.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc59.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc591.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc60.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc682.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc695.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc81.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc86.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc487.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc797.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc580.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc211.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc375.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc581.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Cookies\katie@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc222.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc595.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc75.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc230.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc232.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc205.txt -> TrackingCookie.Bpath : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc760.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc235.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc606.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc241.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc610.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc254.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc506.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc264.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc622.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc272.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc630.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc94.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc508.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc509.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc510.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc631.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc221.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc593.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc280.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc326.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc640.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc274.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc633.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc634.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc635.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc656.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc262.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc304.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc122.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc328.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc676.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc132.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc135.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc344.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc351.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc207.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc577.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc703.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc137.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc357.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc704.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc406.txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\mark@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\mark@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Local Settings\Temp\Cookies\mark@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1007\Dc242\Cookies\katie@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc145.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc388.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc535.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc734.txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc96.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc143.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc234.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc377.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc605.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc723.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc385.txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc655.txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc788.txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc144.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc386.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc733.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Cookies\katie@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Matt\Cookies\mark@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc149.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc391.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc739.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc397.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc398.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc742.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc402.txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc533.txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc201.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc571.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc67.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc488.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc608.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-807374554-2369034388-3120750638-1010\Dc795.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end

HJT log
====

Logfile of HijackThis v1.99.1
Scan saved at 11:19:15 PM, on 30/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 30 July 2006 - 10:04 AM

Hello again

No popups since we did vundo. I think its gone. Thanks,

In safe mode I realised there was a user account called administrator. In normal mode I use the account compag_owner which I assumed had adminstrator status. Dont know how to get to the 'administrator' account in normal mode.

Anyway, in safe mode, used the administrator account to scan but selecting the scan tab gave me a blank screen i.e. no scanning options. Switched to compag_owner (still in safe mode) and the scan tab gives all the scanning options! Was going to do the scan from compag_owner but then decided to switch back to administrator account (still in safe mode) and downloaded ewido again, selected 'update now' and it worked! So maybe compag_owner does not have administrator rights which is why it did not work.

Scanned using the administrator account. Back in normal mode when installing JRE and using compag_owner account. In control panel, user accounts, it say computer administrator for all the user accounts! Sorry to bother you with all this account info. I'm sure it is irrelevant.

Here is the ewido report scan followed by the HFT log. Explorer is still behaving strangely. Not what it used to be.

Thanks again for your help.


You're welcome!

WindowsXP at installation establishes an account called 'Administrator' in safe mode by default. I should have been more explicit in my instructions and directed you to log into your usual account in safe mode.

The terminology can get confusing what with XP naming accounts 'administrator' and then having individual user accounts with 'administrator' privileges. I was just checking that you were using an account with 'administrator privileges'. Sorry about that!

Your HJT log appears clean, and all the Ewido scan found was a bunch of stuff in your recycle bin and cookies....what kind of problems are you having with IE?

Let's do some temp file/cookie cleaning and an online AV scan:

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

2. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report and let me know what problems you are having with IE....
Posted Image

#11 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 02 August 2006 - 03:27 AM

Hi Navigator

Did step 1.

With step 2, the scan froze for 15 mins on one file at which point I killed it. The file it was scanning when it froze was "...E2NFRS\VirtumundoBeGone[1].exe".

Prior to registering with HJT, when I tried to tackle the virus myself (unsucessfully!!) I had run Vundofix and VirtumundoBeGone from a site called Castlecops. Atleast that was the site at which I started but cannot remember the site I ran the exe from. I dont recall downloading it but just running it from that site.

I thought I would remove the VirtumonduBeGone exe and try the scan but I cant find it! Any ideas where to look?

On the subject of removing files, is it safe to delete files in the folder Desktop\My Computer\Presario(C:)\downloads?

I also wanted to remove PConPoint and RegistryFix from the folder Program Files but it wont let me. I did an uninstall for each and thought that the 'uninstallng' would remove it completely.

When I said explorer was still doing funny stuff, I meant windows explorer not IE! Some folders are not visible. For instance, Local settings has gone. I know its there because when one of the anitvirus programs is running, I can see that Local Settings for each user is being scanned but in windows explorer I can see it. Bsically the list of files and folders looks different now. Its not a major problem, I was just wondering where the local settings folder had got to, whether other folders had disappeared, and whether I should worry about it.

The other problem I have is that the startup is a bit slow. It is heaps better since running all the fixes you have asked me to run but was wondering if it can be improved.

#12 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 August 2006 - 08:26 PM

With step 2, the scan froze for 15 mins on one file at which point I killed it. The file it was scanning when it froze was "...E2NFRS\VirtumundoBeGone[1].exe".

Prior to registering with HJT, when I tried to tackle the virus myself (unsucessfully!!) I had run Vundofix and VirtumundoBeGone from a site called Castlecops. Atleast that was the site at which I started but cannot remember the site I ran the exe from. I dont recall downloading it but just running it from that site.

I thought I would remove the VirtumonduBeGone exe and try the scan but I cant find it! Any ideas where to look?

On the subject of removing files, is it safe to delete files in the folder Desktop\My Computer\Presario(C:)\downloads?

I also wanted to remove PConPoint and RegistryFix from the folder Program Files but it wont let me. I did an uninstall for each and thought that the 'uninstallng' would remove it completely.

When I said explorer was still doing funny stuff, I meant windows explorer not IE! Some folders are not visible. For instance, Local settings has gone. I know its there because when one of the anitvirus programs is running, I can see that Local Settings for each user is being scanned but in windows explorer I can see it. Bsically the list of files and folders looks different now. Its not a major problem, I was just wondering where the local settings folder had got to, whether other folders had disappeared, and whether I should worry about it.

The other problem I have is that the startup is a bit slow. It is heaps better since running all the fixes you have asked me to run but was wondering if it can be improved.



Have you tried searching for VirtumonduBeGone to locate it (if you cannot get the exact location from Panda)? Right click start>>select search search in all files and folders and set the search to search your hard drive.

Without knowing what files are in you downloads folder, it's hard for me to say if it's safe to delete them. Probably, but I do not know.

What happens when you navigate to the folders you want to delete for PConPoint and RegistryFix and try to delete them? What message do you recieve?

With regard to not being able to 'see' certain folders with Windows Explorer, have you set the folder options to see typically 'hidden' items? You can do this by doing the following:

If the Local Settings folder is not visible, you may need to change the folder options. To make the Local Settings folder visible:
a. Double-click the My Computer icon, and then click Folder Options on the Tools menu.
b. Click the View tab, and then click Show hidden files and folders under Hidden Files and Folders.


With regard to startup being slow, I want to get the malware off the system first...but it appears that you have two AV programs installed and active on your computer....Symantec AND AVG. Two AV programs installed and enabled will lead to system conflicts, decreased system performance and possibly less security rather than more. The first thing I would do is either disable on of the AV programs from start up (keeping it as a second 'scanner') or chhose one of these products to go forward with and uninstall the other.

If you cannot get Panda to run, then try this as an alternative:

go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

Posted Image

#13 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 05 August 2006 - 06:24 AM

Located VirtumundoBeGone. It was in Administrator\Local Settings\Temporary Internet Files\Content.IES\WOE2NFR8. Deleted it and the Panda scan completed with 'No virus found'.

Also ran the BitDefender online virus scan. When the scan finished it said "Your computer is still infected". Scan Report at the end of this message.

Can now see Local Settings. Thanks.

Managed to delete PConPoint and RegistryFix from Program files. I was getting a message something like thse being hidden files and needed for the running and therefore not allowed to delete. But this time I could delete. Dont know why but it worked!

In Downloads I have 3 folders. One of them is HP and it has the files: dj379en, dj379en, and rub_w01_Americas_Euro1, Was just wondering if the computer uses any of these to run and whether it would be safe to delete them. Another folder is called 'Asha' which is my friends name. So presumably this friend downlooaded this stuff but no longer uses this computer. A bit wary to delete these files as most of them are system files like ASPI2DOS, ASPI4DOS, ASPI8DOS, BTCDROM etc.

Have been trying to disable, not uninstall, AVG since you first mentioned that I should have only AV running. I have tried a 'deactivate' button on one of the screens but that hasn't worked. Did not wnat to disable the Norton (even tho I believe AVG has been better in the few weeks I've used it) as it is my firewall among other things. So thought I would disable AVG but dont know how. CAn you help? If not, I will just uninstall it.

Here is the BitDefender scan report followed by a HJT log.
Thanks again for your help'



BitDefender Online Scanner
Scan report generated at: Sat, Aug 05, 2006 - 01:32:35

Scan path: C:\;D:\;E:\;

Statistics
Time 01:09:06
Files 594271
Folders 6096
Boot Sectors 3
Archives 16292
Packed Files 58032

Results
Identified Viruses 3
Infected Files 12
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 16

Engines Info
Virus Definitions 426695
Engine build AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Scan plugins 13
Archive plugins 39
Unpack plugins 5
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes


Scanned File Status
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\MVI3UHQR\120x600[1].swf=>[SWF command] Infected with: Trojan.SwfDL.A
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\MVI3UHQR\120x600[1].swf=>[SWF command] Disinfection failed
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\MVI3UHQR\120x600[1].swf=>[SWF command] Deleted
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\MVI3UHQR\120x600[1].swf Update failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\85EZKPQN\partypoker[1].swf=>[SWF command] Infected with: Trojan.SwfDL.A
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\85EZKPQN\partypoker[1].swf=>[SWF command] Disinfection failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\85EZKPQN\partypoker[1].swf=>[SWF command] Deleted
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\85EZKPQN\partypoker[1].swf Update failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\C5I305MN\partypoker_auz[1].swf=>[SWF command] Infected with: Trojan.SwfDL.A
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\C5I305MN\partypoker_auz[1].swf=>[SWF command] Disinfection failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\C5I305MN\partypoker_auz[1].swf=>[SWF command] Deleted
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\C5I305MN\partypoker_auz[1].swf Update failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\QXXMBAX4\120x600[1].swf=>[SWF command] Infected with: Trojan.SwfDL.A
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\QXXMBAX4\120x600[1].swf=>[SWF command] Disinfection failed
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\QXXMBAX4\120x600[1].swf=>[SWF command] Deleted
C:\Documents and Settings\Kaz\Local Settings\Temporary Internet Files\Content.IE5\QXXMBAX4\120x600[1].swf Update failed
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024247.dll=>(Quarantine-2) Infected with: Trojan.Downloader.TL
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024247.dll=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024247.dll=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024251.dll=>(Quarantine-2) Infected with: Trojan.Downloader.TL
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024251.dll=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024251.dll=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024252.dll=>(Quarantine-2) Infected with: Trojan.Downloader.TL
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024252.dll=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024252.dll=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024255.dll=>(Quarantine-2) Infected with: Trojan.Downloader.TL
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024255.dll=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP182\A0024255.dll=>(Quarantine-2) Deleted
C:\WINDOWS\system32\fdplngvi.exe Infected with: Trojan.Agent.CUR
C:\WINDOWS\system32\fdplngvi.exe Disinfection failed
C:\WINDOWS\system32\fdplngvi.exe Deleted
C:\WINDOWS\system32\hknwirsb.exe Infected with: Trojan.Agent.CUR
C:\WINDOWS\system32\hknwirsb.exe Disinfection failed
C:\WINDOWS\system32\hknwirsb.exe Deleted
C:\WINDOWS\system32\qovskknp.exe Infected with: Trojan.Agent.CUR
C:\WINDOWS\system32\qovskknp.exe Disinfection failed
C:\WINDOWS\system32\qovskknp.exe Deleted
C:\WINDOWS\system32\xhfumcwp.exe Infected with: Trojan.Agent.CUR
C:\WINDOWS\system32\xhfumcwp.exe Disinfection failed
C:\WINDOWS\system32\xhfumcwp.exe Deleted


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:33:12 PM, on 5/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\pchbutton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#14 Navigator

Navigator

    Gas Passer


  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 August 2006 - 11:42 AM

Managed to delete PConPoint and RegistryFix from Program files. I was getting a message something like thse being hidden files and needed for the running and therefore not allowed to delete. But this time I could delete. Dont know why but it worked!


Before you enabled seeing hidden system files, Windows would not let you manipulate them.

In Downloads I have 3 folders. One of them is HP and it has the files: dj379en, dj379en, and rub_w01_Americas_Euro1, Was just wondering if the computer uses any of these to run and whether it would be safe to delete them. Another folder is called 'Asha' which is my friends name. So presumably this friend downlooaded this stuff but no longer uses this computer. A bit wary to delete these files as most of them are system files like ASPI2DOS, ASPI4DOS, ASPI8DOS, BTCDROM etc.


The dj379en.exe file in the HP download folder is the setup utility for a printer driver...if you already installed the driver on your computer, deleting it here should not be an issue other than you might need to download it again if for some reason you need to reinstall it.

Here are some links to some of the Asha folders contents:

http://www.cdrom-drivers.com/drivers/17/17497.htm

http://www.cdrom-drivers.com/drivers/160/160341.htm

They seem to be system drivers, none seem to be malicious.

The Downloaded Program Files folder is where your ActiveX controls are maintained, you need those for functionality at certain web sites...so do not delete the folder itself (although it will be recreated the next time you download something although with degraded capabilities...see here: http://support.microsoft.com/kb/q174925/ ). Research with google or msn search the items in your DPF folder if you want to see what you need or can do without...but that's up to you and nothing you've told me seems malicious.

Have been trying to disable, not uninstall, AVG since you first mentioned that I should have only AV running. I have tried a 'deactivate' button on one of the screens but that hasn't worked. Did not wnat to disable the Norton (even tho I believe AVG has been better in the few weeks I've used it) as it is my firewall among other things. So thought I would disable AVG but dont know how. CAn you help? If not, I will just uninstall it.


As to disabling AVG7, try this link for instructions: http://www.netfaqs.com/windows/AntiVirus/A...nable/index.asp

BitDefender deleted what it found, most of the stuff was in temporary internet files or system restore which we will reset and delete old restore entries in just a minute.

How is your computer running now, any problems??
Posted Image

#15 avalon

avalon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 06 August 2006 - 08:08 AM

Thanks for all that info. Disabled AVG and read up on all the download folders.

Internet Explorer is fine now. However, all my music in itunes is no longer there. In fact when I click on the icon, the licence agreement page comes up. Microsoft Work too, twice today, behavied strangely. Maybe I should reinstall Microsoft Office. Otherwise it seems to be okay albeit a bit slow at startup.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users