PDA

View Full Version : Need to get rid of Google redirector and more



bobkent
2007-01-11, 07:51
Thanks for looking at this:
After a Google search (and all other search engines) when I click on a result, I am redirected to other sites.
In addition, Tea Timer keeps giving me notice (constantly) that login value is being changed.
My Hijack This file is below.
Any help that you could give me would be greatly appricated!
Thanks!
Bob

Logfile of HijackThis v1.99.1
Scan saved at 12:56:19 AM, on 1/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
c:\Program Files\PestPatrol\ppmemcheck.exe
c:\Program Files\PestPatrol\ppcontrol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Downloads\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Administrator"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Administrator"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -
O16 - DPF: {1CE17C82-8DE2-4EF6-ACF9-3A8B21830475} -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137974238274
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4DAF3F-56B7-48B6-838E-C26A331DF78F}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBC96D2C-F13A-4FD5-BB6D-748D0B02AAA3}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21A6B45-DD7A-484A-AB6F-A858BC77C730}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Bob\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

illukka
2007-01-11, 08:11
Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

bobkent
2007-01-11, 09:39
Fixwareout
Last edited 1/1/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINNT\system32\kdehe.exe will be moved to C:\WINNT\temp\kdehe.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

bobkent
2007-01-11, 09:41
Logfile of HijackThis v1.99.1
Scan saved at 2:46:03 AM, on 1/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Downloads\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Administrator"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to White List - C:\Program Files\Advanced Searchbar\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\Program Files\Advanced Searchbar\delfromlist.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -
O16 - DPF: {1CE17C82-8DE2-4EF6-ACF9-3A8B21830475} -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137974238274
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4DAF3F-56B7-48B6-838E-C26A331DF78F}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBC96D2C-F13A-4FD5-BB6D-748D0B02AAA3}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21A6B45-DD7A-484A-AB6F-A858BC77C730}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Bob\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

bobkent
2007-01-11, 09:42
Thank You!
Bob

illukka
2007-01-11, 10:15
hi

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

next:
open hijackthis, click do a system scan only
checkmark these lines if still there:
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -
O16 - DPF: {1CE17C82-8DE2-4EF6-ACF9-3A8B21830475} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4DAF3F-56B7-48B6-838E-C26A331DF78F}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBC96D2C-F13A-4FD5-BB6D-748D0B02AAA3}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21A6B45-DD7A-484A-AB6F-A858BC77C730}: NameServer = 85.255.116.137,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23

then close all explorer and browser windows
leaving only hijackthis running

and click fix checked

reboot

First download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.


also post a new hijackthis log


Note:
If You have connection problems or those 017's ~ O17 - HKLM~ 85.255.116.103,85.255.112.198, return =>
Before doing this write down all the settings, Note that not all system/setups even have these settings, while some connection service's will require them.
In the windows control panel: If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems

bobkent
2007-01-12, 06:14
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:28:13 PM 1/11/2007

+ Scan result:



C:\Downloads\PearlHarborZH-dm[1].exe -> Adware.Trymedia : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20050101211953.zip/Documents and Settings/Downloads/Norton Firewall/Meta-Norton.Internet.Security.Family.Editon.2001.(All.Versions)_CRK.exe -> Backdoor.Theef.111 : Cleaned.
C:\Program Files\Newhp\Cache\00000902_43683c1b_00000166 -> Downloader.IstBar.ai : Cleaned.
C:\Program Files\Newhp\Cache\0000187e_43683c1d_000910a8 -> Downloader.IstBar.ai : Cleaned.
C:\Program Files\Newhp\Cache\00001916_43683ed7_000377a3 -> Downloader.IstBar.ai : Cleaned.
C:\Program Files\Newhp\Cache\00000fbf_43683c78_0006c934 -> Downloader.IstBar.j : Cleaned.
C:\Program Files\Newhp\Cache\000033ea_43683c4b_00004bce -> Downloader.IstBar.j : Cleaned.
C:\Program Files\Newhp\Cache\0000440d_436837a7_000b5329 -> Downloader.IstBar.j : Cleaned.
C:\Program Files\Newhp\Cache\00004db7_436837c1_000861ae -> Downloader.IstBar.j : Cleaned.
C:\Program Files\Newhp\Cache\000023c9_43683c4b_0000e848 -> Downloader.IstBar.u : Cleaned.
C:\Program Files\Newhp\Cache\0000261e_43683e9a_000be81c -> Downloader.IstBar.u : Cleaned.
C:\Program Files\Common Files\wwwk\wwwkd\vocabulary -> Downloader.TSUpdate.j : Cleaned.
C:\Program Files\Newhp\Cache\00000124_43685c6d_0000162b -> Hijacker.Small.jf : Cleaned.
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3faba491-441d45ef.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned.
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-3faba491-441d45ef.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned.
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv788.jar-7547e1a6-11c85d1b.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20060226020348.zip/Documents and Settings/Michael/Application Data/Sun/Java/Deployment/cache/javapi/v1.0/jar/arc.zip-68f7ffc7-40d7984f.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned.
C:\Program Files\Newhp\Cache\00000677_43683f00_00014fe3 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
C:\Program Files\Newhp\Cache\00003cd5_43683c39_000f0750 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
C:\Program Files\Newhp\Cache\00006172_43683ed7_00085b70 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
C:\Program Files\Newhp\Cache\00007bb9_43683c1b_00046fd8 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@viamtvcom.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@buildabear.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00096828.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00096829.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097433.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097441.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097546.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097547.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097548.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097676.TXT -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\NPROTECT\00097677.TXT -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@lovefreegames.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@planetfungames.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@reciperewards.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\NPROTECT\00096873.TXT -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ad.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@ad.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\NPROTECT\00096503.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096504.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096517.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096780.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096781.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096782.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096787.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096788.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096874.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096875.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00096876.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097492.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097493.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097494.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097496.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097497.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097499.TXT -> TrackingCookie.Adserver : Cleaned.
C:\RECYCLER\NPROTECT\00097500.TXT -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\RECYCLER\NPROTECT\00096516.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00096570.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00096778.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00096822.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00096823.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097479.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097480.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097481.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097482.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097507.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097512.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00097995.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00098058.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00098059.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20051105004318.zip/Documents and Settings/Administrator/Cookies/administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096863.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096864.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096865.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096867.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096889.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096890.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096893.TXT -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\NPROTECT\00096824.TXT -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\RECYCLER\NPROTECT\00097511.TXT -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.fun.com.18345.fb.dbbsrv[2].txt -> TrackingCookie.Dbbsrv : Cleaned.
C:\RECYCLER\NPROTECT\00096532.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00096549.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00096550.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00096789.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00096809.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00096810.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00098032.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00098043.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00098044.TXT -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wfk4qhdpcfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjk4enc5aho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjk4sgazaeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjk4updpcgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjkoajc5ebq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjkooiajifq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjkoqjc5ckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjl4akajeco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjl4wnc5abp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjlisnajako.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjlowlcjsko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjlygpc5ckq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjmiglcpgap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjmisocpceo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjmygldjafq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjny-1sdzsg.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjnyalczkfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjnyamcjmdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjnycjdzcep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjnyqmdzsgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@e-2dj6wjnyujdzobq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@s.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097487.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097488.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097489.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097490.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097491.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097495.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00097501.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00098001.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00098002.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00098003.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ehg-hasbro.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@linkbuddies[1].txt -> TrackingCookie.Linkbuddies : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00096819.TXT -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\NPROTECT\00096820.TXT -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\NPROTECT\00096821.TXT -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\NPROTECT\00096825.TXT -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\NPROTECT\00096826.TXT -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@www.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20051105004318.zip/Documents and Settings/Administrator/Cookies/administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.

See next post for 2 of 2 report

bobkent
2007-01-12, 06:15
This is part 2 of 2 of Scan Report

C:\RECYCLER\NPROTECT\00097460.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097461.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097462.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097465.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097471.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097472.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097473.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\NPROTECT\00097474.TXT -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\RECYCLER\NPROTECT\00097679.TXT -> TrackingCookie.Spylog : Cleaned.
C:\RECYCLER\NPROTECT\00097681.TXT -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\NPROTECT\00096878.TXT -> TrackingCookie.Targetnet : Cleaned.
C:\RECYCLER\NPROTECT\00096881.TXT -> TrackingCookie.Targetnet : Cleaned.
C:\RECYCLER\NPROTECT\00096882.TXT -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\RECYCLER\NPROTECT\00096883.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096884.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096885.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096886.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096887.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096888.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\NPROTECT\00096894.TXT -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Michael\Cookies\michael@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\RECYCLER\NPROTECT\00097678.TXT -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Matthew\Cookies\matthew@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Nicole\Cookies\nicole@c7.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096510.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096511.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096512.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096513.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096514.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096515.TXT -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\NPROTECT\00096518.TXT -> TrackingCookie.Zedo : Cleaned.


::Report end

bobkent
2007-01-12, 06:16
Logfile of HijackThis v1.99.1
Scan saved at 11:13:57 PM, on 1/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Downloads\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137974238274
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Bob\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

bobkent
2007-01-12, 06:18
Thank You for your help!!!
:beerbeerb:

illukka
2007-01-12, 10:47
that sure did clean a lot..

next

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

bobkent
2007-01-12, 21:27
530TX+
Adaptec Easy CD Creator 4
Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe® Photoshop® Album Starter Edition 3.0
AIM Toolbar
AOL Instant Messenger
AVG Anti-Spyware 7.5
Backyard Football 2002
Camfrog Video Chat 3.71 (remove only)
CardRd81
ccCommon
CCHelp
CCScore
CR2
DeductionPro 2005-06
D-Link PCI Fast Ethernet Adapter
dvdSanta 4.00
EasyRecovery Professional
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
GdiplusUpgrade
GE 98067 MiniCam Pro
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Hotfix for MDAC 2.53 (KB911562)
HP Memories Disc
HP Photosmart Essential
HP Software Update
HP Software Update
ImageMate CompactFlash USB (SDDR-31) Ver. 5.05
InCD
Inspiration 6
Internet Explorer Q903235
Internet Worm Protection
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_05
Java Media Framework 2.1.1e
KCsaver1_PC Screen Saver
KCsaver2_PC Screen Saver
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1
Microsoft Money 2005
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft XML Parser and SDK
MRU-Blaster v1.5 (Database 7/19/2003)
MSN Gaming Zone
MSN Messenger 7.0
MSXML 4.0 SP2 (KB927978)
Napster
Napster Burn Engine
Nero PhotoShow Express
Nero Suite
NeroMIX
NeroVision Express Content
Network Play System (Patching)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Norton WMI Update
Notifier
NTI Backup NOW!
NTI CD-Maker 2000 Professional
OTtBP
OTtBPSDK
PCDLNCH
PhotoParade Player
Photosmart 140,240,7200,7600,7700,7900 Series
Presto! PageManager
Presto! PageType
QuickTime
RealPlayer Plus
RoadRash
RollerCoaster Tycoon
Saitek Gaming Extensions
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
SFR
SFR2
SimCoaster
SMC Barricade Print Server Monitor
SPBBC
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Symantec
Symantec Script Blocking Installer
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
The Playa
The Sims Unleashed
TroopLedger Millennium Demo
TroopMaster 2005
Update Rollup 1 for Windows 2000 SP4
VCAMCEN
Viewpoint Media Player
VistaShuttle
VPRINTOL
Wal-Mart Music Downloads Store
WeatherBug
Wild Photo Effects
Window Washer 5
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918439
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player system update (9 Series)
WinZip
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zoom Ethernet ADSL Modem

bobkent
2007-01-13, 18:41
I noticed that I have many ESS* files.
I do not know what they are, I will not delete until I here from you.

Thanks again!

illukka
2007-01-16, 23:03
hi

sorry for the late reply, i seem to have lost the email notification of your reply

this item wonders me:
C:\Program Files\Newhp
do you know anything about such program ?

it reminds me of something, to make sure its not waht i suspect it to be:

Download and Save Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html/) to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there

bobkent
2007-01-17, 00:28
Hi,

At first, the BlackLight program would not work due to debug privilage not given to the administrator group.
I set the local policy to grant this privilage and the program ran.

You were right!
Black Light found 4154 hidden items, many of them located in the hidden folder Newhp.

Here is the log:

However, the log is much too long!
The text that you have entered is too long (827178 characters). Please shorten it to 20000 characters long.
It would take about 40 posts to list it all.
Here is the first chunk of it and the last part of it, the middle looks similar

01/16/07 16:52:34 [Info]: BlackLight Engine 1.0.55 initialized
01/16/07 16:52:34 [Info]: OS: 5.0 build 2195 (Service Pack 4)
01/16/07 16:52:34 [Note]: 7019 4
01/16/07 16:52:34 [Note]: 7005 0
01/16/07 16:52:39 [Note]: 7006 0
01/16/07 16:52:39 [Note]: 7011 964
01/16/07 16:52:39 [Note]: 7026 0
01/16/07 16:52:39 [Note]: 7026 0
01/16/07 16:52:55 [Note]: FSRAW library version 1.7.1021
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\ace.dll
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_13-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_14-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_15-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_16-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_17-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\AI_19-11-2005.log
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000001c_43781360_000385a6
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000001c_43781cde_000347b8
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_43683769_00007d0c
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_436852a4_000a3c19
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_436de9b8_0009b31c
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_43738af0_000b4fd9
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_437aba3c_00045a09
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000029_437d34c0_000a0b68
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000035_4373826b_000e1f26
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000035_4377e816_0009f470
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3
01/16/07 16:53:01 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00000035_4377f7d0_0006f1cb
01/16/07 16:53:01 [Note]: 7002 0
01/16/07 16:53:01 [Note]: 7003 1
01/16/07 16:53:01 [Note]: 10002 3


Here is the last part of the log:


01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00007f4f_436dd256_00088428
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\000019d9_437d35ca_00066a4b
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\000072a6_437ec020_000bf8c9
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00005af1_437aba54_0003cf34
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00007ac2_437ac359_000753a3
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00007b44_4377f7f9_0009115e
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00005a70_437ecd8f_000728b3
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\000078fe_437acf3e_000ad17b
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000323b_4377f4da_0000ae1e
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\000037e6_436c3aa9_000d1b24
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\000037e6_4377e829_00004979
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00005753_437d356a_000623b8
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000323b_4377e6cb_0005e40e
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\00005af1_43683773_000af241
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000323b_43683969_000a35dc
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:50 [Info]: Hidden file: c:\Program Files\Newhp\Cache\0000323b_436c397a_000b0854
01/16/07 16:54:50 [Note]: 7002 0
01/16/07 16:54:50 [Note]: 7003 1
01/16/07 16:54:50 [Note]: 10002 3
01/16/07 16:54:51 [Info]: Hidden file: c:\Program Files\Newhp\data.bin
01/16/07 16:54:51 [Note]: 7002 0
01/16/07 16:54:51 [Note]: 7003 1
01/16/07 16:54:51 [Note]: 10002 3
01/16/07 16:54:51 [Info]: Hidden file: c:\Program Files\Newhp\mssexl32.exe
01/16/07 16:54:51 [Note]: 7002 0
01/16/07 16:54:51 [Note]: 7003 1
01/16/07 16:54:51 [Note]: 10002 3
01/16/07 16:54:51 [Info]: Hidden file: c:\Program Files\Newhp\robskeys.exe
01/16/07 16:54:51 [Note]: 7002 0
01/16/07 16:54:51 [Note]: 7003 1
01/16/07 16:54:51 [Note]: 10002 3
01/16/07 16:54:51 [Info]: Hidden file: c:\Program Files\Newhp\WinGenerics.dll
01/16/07 16:54:51 [Note]: 7002 0
01/16/07 16:54:51 [Note]: 7003 1
01/16/07 16:54:51 [Note]: 10002 3
01/16/07 17:00:55 [Info]: Hidden file: c:\WINNT\system32\iepkbdfi.exe
01/16/07 17:00:55 [Note]: 7002 0
01/16/07 17:00:55 [Note]: 7003 1
01/16/07 17:00:55 [Note]: 10002 1
01/16/07 17:01:33 [Info]: Hidden file: c:\WINNT\system32\drivers\sysdasup.sys
01/16/07 17:01:33 [Note]: 7002 0
01/16/07 17:01:33 [Note]: 7003 1
01/16/07 17:01:33 [Note]: 10002 1
01/16/07 17:02:28 [Note]: 2000 1012
01/16/07 17:02:28 [Note]: 2000 1012
01/16/07 17:02:28 [Note]: 2000 1012

illukka
2007-01-17, 07:40
yep.
thats a rootkit, its called apropos.

luckily a great spyware expert, Swandog46 has made a removal tool for it=>

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do not run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post a new HijackThis log.
Also post the entire contents of the log.txt file in the aproposfix folder.

illukka
2007-01-17, 07:41
by the way thanks for sticking with me :)

bobkent
2007-01-18, 03:37
You have been a big help!!
I am also learning about these files too.
Please keep up the good work you do for everyone!
:)


Here is the Apropos Fix Log File:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************



Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CzPeFAv7bkFD]
@="502526zDEEDEEFEqK0Mk.e1DEEDTGEnZeekE5B56v:KJEu4z8v45E5B5ur572F5B5"
"Device"="\\\\.\\Z3n5TlNo"
"DriverPath"="C:\\WINNT\\system32\\drivers\\sysdasup.sys"
"DriverName"="snpspti"
"HideUninstallerName"="C:\\Program Files\\Newhp\\mssexl32.exe"
"UninstallerPath"="C:\\WINNT\\system32\\hpzb2res.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{53E4A5B6-81BE-4888-883C-EFD60A7238CE}"
"UninstallerParams"="/CTUN"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xc0c0da0-8200-7dfe-bc3b-41bc01e4ccb1}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Newhp\\robskeys.exe"
"AutoUpdater"="C:\\WINNT\\system32\\iepkbdfi.exe"

************

Removing hidden service:
Service snpspti removed.

Removing hidden folder:
Deletion of folder Newhp succeeded!

Deleting files:

Deletion of file C:\WINNT\system32\drivers\sysdasup.sys succeeded!
Deletion of file C:\WINNT\system32\iepkbdfi.exe succeeded!
Deletion of file C:\WINNT\system32\hpzb2res.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CzPeFAv7bkFD]
[-HKEY_LOCAL_MACHINE\Software\CzPeFAv7bkFD]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53E4A5B6-81BE-4888-883C-EFD60A7238CE}]

Done!

Finished!


Here is the updated HiJack This log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:23 PM, on 1/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Downloads\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -
O16 - DPF: {1CE17C82-8DE2-4EF6-ACF9-3A8B21830475} -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137974238274
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Bob\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

bobkent
2007-01-18, 03:54
I ran the BlackLight program again to see the change in the log file.
No hidden files were detected.

Thanks again for your help.

The log file is below:

01/17/07 20:44:21 [Info]: BlackLight Engine 1.0.55 initialized
01/17/07 20:44:21 [Info]: OS: 5.0 build 2195 (Service Pack 4)
01/17/07 20:44:22 [Note]: 7019 4
01/17/07 20:44:22 [Note]: 7005 0
01/17/07 20:44:26 [Note]: 7006 0
01/17/07 20:44:26 [Note]: 7011 1576
01/17/07 20:44:26 [Note]: 7026 0
01/17/07 20:44:27 [Note]: 7026 0
01/17/07 20:44:37 [Note]: FSRAW library version 1.7.1021
01/17/07 20:51:26 [Note]: 2000 1012
01/17/07 20:51:26 [Note]: 2000 1012
01/17/07 20:51:26 [Note]: 2000 1012
01/17/07 20:52:46 [Note]: 7007 0

bobkent
2007-01-18, 05:06
While I was at it, I ran the AVG spyware again.
Log was clean, except for a few cookies that I didn't delete before I ran it.
Thanks!

Here is the log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:07:39 PM 1/17/2007

+ Scan result:



C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Michael\Cookies\michael@adrevolver[3].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Michael\Cookies\michael@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Matthew\Cookies\matthew@media.fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Matthew\Cookies\matthew@searchportal.information[1].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\Michael\Cookies\michael@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
C:\Documents and Settings\Michael\Cookies\michael@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.


::Report end

illukka
2007-01-18, 08:11
hi

that looks like a clean one

how ever there are some leftovers in the registry

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

also you need to unload pest patrol before fixing anything with hijackthis

open hiajckthis
click do a system scan only
checkmark/fix thse with all browsers and explorer windows closed:O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -
O16 - DPF: {1CE17C82-8DE2-4EF6-ACF9-3A8B21830475} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

reboot

post a final hjt log to see if it was succesful

bobkent
2007-01-18, 23:09
I think this might be the final log

It looks like everything is cleaned up
But, I may be wrong :red:

Thanks for taking the time to help me

Logfile of HijackThis v1.99.1
Scan saved at 4:12:25 PM, on 1/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Downloads\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137974238274
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DB6D4758-0AC3-4B84-A239-D9D4B3F61A2E} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Bob\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

illukka
2007-01-18, 23:21
great, it does look like a clean log :)

good work there ;


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

also remember to keep your java updated, see this topic for instructions

http://forums.spybot.info/showpost.php?p=12880&postcount=2

bobkent
2007-01-19, 02:57
I am doing, or will do the items that you listed in your post.

Again,
Thanks for all of your help!
Keep up the good work

Bob

illukka
2007-01-19, 08:04
as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :)