Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Adware Removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 Sapper 31

Sapper 31

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 26 February 2007 - 08:08 PM

Hi,

It's been a long time since I cleaned my computer, and I thought it was long overdue. I scanned with Ad Aware and Spybot SD. Lots of problems were found and fixed. Whenever I run Spybot now though I get about 10 different problems everytime and it can never remove Starware. I'm guessing there is something sneaky that keeps this stuff safe. Please take a look at my logs and let me know if you can help me out at all.

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:20:32 PM, on 2/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft1\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft1\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft1\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft1\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft1\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If you need anything else just let me know.

Thanks! :thumbsup:

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 28 February 2007 - 10:53 PM

Hello Sapper 31,

I am SifuMike and I will be helping you. :thumbsup:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
*********************

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

*********************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

Edited by SifuMike, 28 February 2007 - 11:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sapper 31

Sapper 31
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 02 March 2007 - 07:58 AM

Hi SifuMike,

Thanks for helping me out with this.

Here is my Bit Defender Log:

BitDefender Online Scanner



Scan report generated at: Thu, Mar 01, 2007 - 10:09:37





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;







Statistics

Time
03:20:34

Files
758477

Folders
11256

Boot Sectors
3

Archives
21138

Packed Files
67460




Results

Identified Viruses
11

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
13




Engines Info

Virus Definitions
399295

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\$VAULT$.AVG\04409375.FIL
Infected with: Trojan.Downloader.Small.BAP

C:\$VAULT$.AVG\04409375.FIL
Disinfection failed

C:\$VAULT$.AVG\04409375.FIL
Deleted

C:\hp\bin\Terminator.exe
Infected with: Trojan.Killapp.30208.A

C:\hp\bin\Terminator.exe
Disinfection failed

C:\hp\bin\Terminator.exe
Deleted

C:\Program Files\Common Files\Download\mc-62-602-0000156.exe
Infected with: Trojan.Downloader.4540.A

C:\Program Files\Common Files\Download\mc-62-602-0000156.exe
Disinfection failed

C:\Program Files\Common Files\Download\mc-62-602-0000156.exe
Deleted

C:\Program Files\WildTangent\Apps\GameChannel\Games\357ECB62-CD36-4B63-B57E-769D0CA174F4\jvminstall.htm
Infected with: Trojan.Exploit.Html.Codebaseexec.CC

C:\Program Files\WildTangent\Apps\GameChannel\Games\357ECB62-CD36-4B63-B57E-769D0CA174F4\jvminstall.htm
Disinfection failed

C:\Program Files\WildTangent\Apps\GameChannel\Games\357ECB62-CD36-4B63-B57E-769D0CA174F4\jvminstall.htm
Deleted

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008356.dll
Infected with: Trojan.LowZones.CM

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008356.dll
Disinfection failed

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008356.dll
Deleted

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008358.dll
Infected with: Win32.HLLW.Bizex.A

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008358.dll
Disinfection failed

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008358.dll
Deleted

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008359.exe
Infected with: Trojan.Killer

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008359.exe
Disinfection failed

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008359.exe
Deleted

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010702.exe
Infected with: Trojan.Killapp.30208.A

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010702.exe
Disinfection failed

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010702.exe
Deleted

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010707.exe
Infected with: Trojan.Downloader.4540.A

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010707.exe
Disinfection failed

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010707.exe
Deleted

C:\WINDOWS\inf\alchem.inf
Infected with: Trojan.Downloader.Alchemic.B

C:\WINDOWS\inf\alchem.inf
Disinfection failed

C:\WINDOWS\inf\alchem.inf
Deleted

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.htm
Infected with: Generic.XPL.ADODB.3689519A

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.htm
Disinfection failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.htm
Deleted

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt
Update failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.exe
Infected with: Trojan.Dropper.Delf.EV

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.exe
Disinfection failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt=>/index.exe
Deleted

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATU4NXP\sia[1].txt
Update failed

C:\WINDOWS\system32\winnuts.dll
Infected with: Trojan.Regger.S

C:\WINDOWS\system32\winnuts.dll
Disinfection failed

C:\WINDOWS\system32\winnuts.dll
Deleted

Here is my AVGAS Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:37:54 AM 3/2/2007

+ Scan result:



C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP53\A0010751.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\eg6i3bdi\eg6i3bdi.dll -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP41\A0008310.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP41\A0008312.dll -> Adware.ClientMan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msfaol.dll -> Adware.ClientMan : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008381.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008379.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\Media Access -> Adware.MediaAccess : Cleaned with backup (quarantined).
C:\Program Files\Media Access\Info.txt -> Adware.MediaAccess : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\Power Scan -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\Power Scan\Power Scan.lnk -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Reference.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\ReferenceHot.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Weather.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\recipes.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\recipes.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\recipes_over.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\recipes_over.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencehotxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\referencexp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherhotxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\buttons\weatherxp.png -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\contexts -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\All Users\Application Data\Starware\images -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Starware\images\walertXP.bmp -> Adware.Starware : Error during cleaning.
C:\Documents and Settings\Default User\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Application Data\Starware\MasterOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Application Data\Starware\ProductOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Application Data\Starware\SearchMatch -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Application Data\Starware\ToolbarOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll -> Adware.Viewpoint : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\Weather.exe -> Adware.WeatherBug : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP42\A0008387.inf -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP41\A0008299.dll -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\Program Files\ClockSync -> Adware.WhenU : Cleaned with backup (quarantined).
C:\Program Files\Windows TaskAd -> Adware.WinTaskAd : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@2o7[5].txt -> TrackingCookie.2o7 : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@lookalikefinder.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@ad.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adorigin[1].txt -> TrackingCookie.Adorigin : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adorigin[3].txt -> TrackingCookie.Adorigin : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@ads18.bpath[1].txt -> TrackingCookie.Bpath : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[4].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[5].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstbeacon[7].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@burstnet[6].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@isg01.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[3].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[4].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[5].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@com[6].txt -> TrackingCookie.Com : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@data4.perf.overture[3].txt -> TrackingCookie.Overture : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@data4.perf.overture[4].txt -> TrackingCookie.Overture : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@guide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.sidefind[2].txt -> TrackingCookie.Sidefind : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@login.tracking101[3].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@a.tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@a.tribalfusion[3].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@a.tribalfusion[4].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\r.bat -> Worm.Gaobot : Cleaned with backup (quarantined).


::Report end

And Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:15 AM, on 3/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\Program Files\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


If you need anything else just let me know.

Thanks again for helping me out with this :thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 02 March 2007 - 01:23 PM

Hi Sapper 31,

Those two scans removed Starware and most of your malware. :thumbsup: Now we fix the leftover malware.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe


The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
(Description: HP monitoring tool. Unnecessary. Remove this to free up some system resources.)

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\ALCXMNTR.EXE <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode , post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Sapper 31

Sapper 31
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 02 March 2007 - 08:04 PM

Hi SifuMike,

I think I followed all your directions successfully. Here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:02:00 PM, on 3/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn19\yt.dll
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If you need anything else just let me know.

Thanks for all your help :thumbsup:

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 02 March 2007 - 08:13 PM

Hi Sapper 31.

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Sapper 31

Sapper 31
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 05 March 2007 - 11:16 AM

Hi SifuMike,

My computer seems to be running fine now. Thanks for all your help :thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 05 March 2007 - 12:38 PM

Thats good to hear, and you are very welcome for the help. :thumbsup:
I hope your computer continues to run smoothly for you
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:08 PM

Posted 19 March 2007 - 11:23 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users