PDA

View Full Version : Spyware won't go away easily



Gregxpe
2008-08-02, 19:19
I have a friends computer that hasn't been used in years. Trying to bring it back to a useable state. Get error messages on startup of system. I uninstalled programs that I thought were not good like Weatherbug, Comet Cursor, Commonname, etc. Spybot helped get rid of alot of items. A few still remain. below is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:47 PM, on 8/2/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\bbxpovzq.exe
C:\Program Files\syslaunch.exe
C:\documents and settings\owner\local settings\temp\F7poOdn.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\System32\AIM1.EXE
C:\PROGRA~1\uxswprux\c0hCGwBN.exe
C:\PROGRA~1\uxswprux\NBwGCh0c.exe
C:\WINDOWS\System32\wmdmlog.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IAdvertisementBHO Class - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CEBE8F2D-EE5F-ED4B-EF3D-378F7C0E6EFA} - C:\WINDOWS\system32\agqtlhdz.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [F7poOdn] C:\documents and settings\owner\local settings\temp\F7poOdn.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Zgm8.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wmdmlog] C:\WINDOWS\System32\wmdmlog.exe
O4 - HKCU\..\RunOnce: [RealPlayerv2] AIM1.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8271 bytes

Greg

Shaba
2008-08-04, 13:38
Hi Gregxpe

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

Gregxpe
2008-08-04, 14:45
I don't think this machine has been updated in a while. Notepad also did not work.

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {3689E9EE-37EC-4C64-9DF6-921EA4EA1C6B}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_16E0B333-156-80004005_E2AD56EA-338-8009_E2AD56EA-339-2ee7_16E0B333-89-80004005_78155E4D-373-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Allowed
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Allowed
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3689E9EE-37EC-4C64-9DF6-921EA4EA1C6B}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-2826457082-3403473811-3433162778</SID><SYSTEM><Manufacturer>HP Pavilion 04</Manufacturer><Model>P8564A-ABA 752N</Model></SYSTEM><BIOS><Manufacturer>Award Software, Inc.</Manufacturer><Version>3.02</Version><SMBIOSVersion major="2" minor="3"/><Date>20020508******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>B5B5354F01842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Shaba
2008-08-04, 15:26
We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&DisplayLang=en)

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/ (http://www.windowsupdate.com/)

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.

Gregxpe
2008-08-05, 01:37
Completed the updates. New log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:54 PM, on 8/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\bbxpovzq.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\wanmpsvc.exe
C:\documents and settings\owner\local settings\temp\F7poOdn.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\System32\AIM1.EXE
C:\PROGRA~1\uxswprux\c0hCGwBN.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\PROGRA~1\uxswprux\NBwGCh0c.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\Rerc4k1S.exe
C:\WINDOWS\System32\Rerc4k1S.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IAdvertisementBHO Class - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CEBE8F2D-EE5F-ED4B-EF3D-378F7C0E6EFA} - C:\WINDOWS\system32\agqtlhdz.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [F7poOdn] C:\documents and settings\owner\local settings\temp\F7poOdn.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\ZlwJQ.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [f~a] C:\WINDOWS\System32\f~a\ra32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wmdmlog] C:\WINDOWS\System32\wmdmlog.exe
O4 - HKCU\..\RunOnce: [RealPlayerv2] AIM1.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8597 bytes

Shaba
2008-08-05, 15:44
Is Norton Antivirus uninstalled?

If so, please install one of the antiviruses from below, do a scan with it and post back a fresh HijackThis log.

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Gregxpe
2008-08-06, 07:05
I don't think my friends ever activated the NAV 2002 when purchased and could be why got infected. I waited for you to ask about installing a AV cause didn't want to do things without waiting for help. I tried the free AV you mentioned and AVG indicated my windows was not updated enough to install. I put an updated Symantec version on and quarantined about 78 items. Below is a new HJ log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:41 PM, on 8/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11051 bytes

Shaba
2008-08-06, 16:43
Please download Malwarebytes' Anti-Malware (http://www.malwaresupport.com/mbam/program/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

Gregxpe
2008-08-07, 05:04
Results: I got a message saying it could not find notepad.exe so I used wordpad. Is Malwarebytes similiar to Spybot?


Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 1

9:53:38 PM 8/6/2008
mbam-log-8-6-2008 (21-53-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 100305
Time elapsed: 33 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mp.mediapops (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mp.mediapops.1 (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4438a5dc-e00b-41a0-b0e6-b63fd3b86eee} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4767c447-ef15-42f2-8809-68adb7fa76f1} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{90c61707-c8f8-43db-a25c-c1f4b18ee41e} (Spyware.Comet.Cursor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{edc4193f-34ad-4d07-aa87-e3fdb89e3e76} (Spyware.Comet.Cursor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Shaba
2008-08-07, 15:38
Yes, it is also antimalware program.

Please post a fresh HijackThis log too :)

Gregxpe
2008-08-08, 02:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:20 PM, on 8/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11074 bytes

Shaba
2008-08-08, 11:06
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

Gregxpe
2008-08-08, 14:19
Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-08 06:56:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-08 10:56:24 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:47 AM, on 8/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11051 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys <Not Verified; VERITAS Software, Inc.; >
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys <Not Verified; VERITAS Software, Inc.; >
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys <Not Verified; VERITAS Software, Inc.; >
R3 Freedom (FREEDOM Miniport) - c:\windows\system32\drivers\freedom.sys <Not Verified; Zero-Knowledge Systems Inc.; Freedom>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-06 21:09:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 21:09:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:09:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 19:18:45 0 d-------- C:\Program Files\Symantec
2008-08-04 18:28:10 0 d-------- C:\WINDOWS\System32\PreInstall
2008-08-04 18:28:09 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-04 18:27:17 0 d-------- C:\WINDOWS\System32\bits
2008-08-04 18:23:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-04 18:21:35 0 d-------- C:\WINDOWS\Prefetch
2008-08-04 18:15:58 0 d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 18:15:58 0 d-------- C:\WINDOWS\ehome
2008-08-04 07:36:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-04 07:36:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-02 12:03:31 0 d-------- C:\Program Files\Trend Micro
2008-08-02 00:18:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-08-05 19:22:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-04 18:24:21 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-04 18:15:58 0 d-------- C:\Program Files\Messenger
2008-08-04 18:15:51 0 d-------- C:\Program Files\Movie Maker
2008-08-03 14:37:43 0 d-------- C:\Program Files\Common Files
2008-08-02 00:59:23 0 d-------- C:\Program Files\Sqwire
2008-08-02 00:58:32 0 d-------- C:\Program Files\DownloadWare
2008-08-02 00:57:20 0 d-------- C:\Program Files\Free Offers from Freeze.com
2008-08-02 00:15:07 14830 --ah----- C:\WINDOWS\System32\fiz0
2008-08-01 23:48:06 49 --a------ C:\WINDOWS\mads.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E}]
08/18/2001 08:00 AM 106496 --a------ C:\WINDOWS\system32\sombzlmu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [12/13/2001 02:05 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [07/06/2001 11:56 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [12/19/2001 02:39 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/14/2002 01:25 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [03/12/2002 06:28 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [03/12/2002 06:20 AM]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [03/09/2002 07:53 PM C:\WINDOWS\system32\nwiz.exe]
"S3apphk"="S3apphk.exe" [03/16/2002 01:51 AM C:\WINDOWS\system32\S3apphk.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [03/28/2002 04:50 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [09/02/2002 06:01 PM]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [01/26/2002 04:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/29/2003 06:32 PM]
"jbeschly"="C:\WINDOWS\bbxpovzq.exe" []
"WinFavorites"="c:\program files\winfavorites\WinFavorites.exe1" []
"CIPVF"="C:\WINDOWS\CIPVF.exe" []
"iehelper"="C:\Program Files\syslaunch.exe" []
"@"="c:\WINDOWS\System32\" [08/06/2008 09:59 PM]
"nvid"="C:\WINDOWS\System32\xcafcqwz.exe" []
"PromulGate"="C:\Program Files\DelFin\PromulGate\PgMonitr.exe" []
"Rundll16"="C:\WINDOWS\rundll16.exe" []
"RealPlayerv2"="AIM1.EXE" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/01/2008 01:25 AM]
"<h"="c:\WINDOWS\System32\<head>" []
"<title>beneditutti.com</title><meta name=keywords content=beneditutti.com><meta name=description content=beneditutti.com><meta name=robots content=INDEX"="" []
"</h"="c:\WINDOWS\System32\</html>" []
"<frame src=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA"="c:\WINDOWS\System32\<frame src=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>" []
"</frame"="c:\WINDOWS\System32\</frameset>" []
"<nofra"="c:\WINDOWS\System32\<noframes>" []
"<a href=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>Click here to go to beneditutti.com<"="c:\WINDOWS\System32\<a href=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>Click here to go to beneditutti.com</a>." []
"</nofra"="c:\WINDOWS\System32\</noframes>" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" []
"@"="c:\WINDOWS\System32\" [08/06/2008 09:59 PM]
"AIM"="C:\Program Files\AIM\aim.exe" [04/14/2004 05:45 PM]
"<h"="c:\WINDOWS\System32\<head>" []
"<title>beneditutti.com</title><meta name=keywords content=beneditutti.com><meta name=description content=beneditutti.com><meta name=robots content=INDEX, FOLLOW><meta name=revisit-after content=10><meta http-equiv=Content-Type content=text/htmlcharset=iso-8859"="c:\WINDOWS\System32\<title>beneditutti.com</title><meta name=keywords content=beneditutti.com><meta name=description content=beneditutti.com><meta name=robots content=INDEX, FOLLOW><meta name=revisit-after content=10><meta http-equiv=Content-Type content=text/htmlcharset=iso-8859-1>" []
"</h"="c:\WINDOWS\System32\</html>" []
"<frame src=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA"="c:\WINDOWS\System32\<frame src=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>" []
"</frame"="c:\WINDOWS\System32\</frameset>" []
"<nofra"="c:\WINDOWS\System32\<noframes>" []
"<a href=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>Click here to go to beneditutti.com<"="c:\WINDOWS\System32\<a href=http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM>Click here to go to beneditutti.com</a>." []
"</nofra"="c:\WINDOWS\System32\</noframes>" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [8/29/2003 6:30:46 PM]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [8/29/2003 6:32:17 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.f1organizer.com #removed adware url
127.0.0.1 www.netpalnow.com #removed adware url
127.0.0.1 www.addictivetechnologies.com #removed adware url
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com

8871 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-08 06:59:58 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 510.52 MiB / 143.63 MiB
Pagefile Memory (total/avail): 1247.19 MiB / 402.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1889.4 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 51.01 GiB total, 37.3 GiB free.
D: is Fixed (FAT32) - 4.87 GiB total, 0.75 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600AB-22CBA1 - 55.9 GiB - 2 partitions
\PARTITION0 - Unknown - 4.88 GiB - D:
\PARTITION1 (bootable) - Installable File System - 51.01 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AEDWARDS
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\AEDWARDS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=AEDWARDS
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner [I](admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{33AE85D9-0386-41AD-BD99-FDF3ABC19DBB}\setup.exe" -l0x9 -L0x9anything
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{854A5F01-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{945E2519-C2B9-11D3-9D56-0060B0A4823E}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD47EFC1-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20030807.3) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
ArcSoft ShowBiz --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Arcsoft\Showbiz\Uninst.isu"
ArcSoft Software Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Atomic Pop --> "C:\Program Files\wildtangent\apps\gamechannel.exe" \removeitem {6E657D86-77B8-4D97-9E31-7D374469D3CB}
DelFin Media Viewer --> C:\WINDOWS\unvise32.exe C:\Program Files\DelFin\PromulGate\uninstal.log
Diamond Mine 1.5y --> C:\Program Files\PopCap Games\Diamond Mine\UnGins.exe "C:\Program Files\PopCap Games\Diamond Mine\install.log"
Easy Internet Sign-up --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
Enhanced MediaLoads --> "C:\Program Files\MediaLoads Enhanced\install.exe" "C:\Program Files\MediaLoads Enhanced\ME2.DLL",Uninstall
Freedom Security && Privacy Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4ECBA0D5-A114-4EE3-B3F3-A8CFDE2A6A79}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
hp deskjet 3820 series (Remove only) --> C:\Program Files\hp deskjet 3820 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=3820 -huninstall
HP DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe CeS
hp learning adventure --> c:\program files\HPSelect\Frontend\uninstall.exe
HP Memories Disc --> MsiExec.exe /X{103B9452-AAF9-4E8E-AE4F-DD44411B886F}
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
HP RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
IMBUM --> regsvr32 /s /u C:\WINDOWS\System32\Im6um.dll
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
InetDctr --> C:\WINDOWS\System32\uninstidctr.exe
Intel(R) 845G Chipset Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveUpdate 3.3 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Living Marine Aquarium Screen Saver --> C:\PROGRA~1\SCREEN~2.COM\LIVING~1\UNINSTAL.EXE /U C:\PROGRA~1\SCREEN~2.COM\LIVING~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MarketBrowser --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35845E72-E34A-11D4-817D-005004D0F1FA}\Setup.exe" -uninst
MediaLoads --> "C:\Program Files\MediaLoads\v1\ml.exe" /R
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works and Money 2002 Setup Launcher --> C:\Program Files\Microsoft Works and Money 2002\Setup\Launcher.exe \hp\tmp\src\
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows --> C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Python 1.5 combined Win32 extensions --> C:\PROGRA~1\Python\UNWISE~1.EXE C:\PROGRA~1\Python\W32INST.LOG
Python 1.5.2 (final) --> C:\PROGRA~1\Python\UNWISE.EXE C:\PROGRA~1\Python\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RingMaster from Hewlett-Packard Desktops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8c9c48d7-2d03-4a1f-a303-5bd22ccabae1\Uninstall.exe"
Snood for Windows version 3.01-W --> "C:\Program Files\Snood\unins000.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Speedway --> "C:\Program Files\wildtangent\apps\gamechannel.exe" \removeitem {D6CAB2F4-26A4-48F4-A35D-CA83063E3928}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Endpoint Protection --> MsiExec.exe /I{76B2BC31-2D96-4170-9C44-09E13B5555F3}
Tcl 8.0.5 for Windows --> C:\PROGRA~1\Tcl\UNWISE.EXE C:\PROGRA~1\Tcl\INSTALL.LOG
VERITAS StorageGuard --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WildArcade --> C:\Program Files\WildArcade\BlasterBlocks\uninst.exe
Winamp3 (remove only) --> C:\Program Files\Winamp3\uninst-wa3.EXE
WordPerfect Office 2002 Try Before You Buy --> C:\WINDOWS\Corel\uninst32.exe
WordPerfect Office 2002 Try Before You Buy --> MsiExec.exe /I{29D88826-2AB9-11D5-8854-00902761A46D}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2822 / Error
Event Submitted/Written: 08/07/2008 07:59:08 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Downloader.MSCache in File: C:\Documents and Settings\Owner\Local Settings\Temp\DWHB674.tmp by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Event Record #/Type2821 / Error
Event Submitted/Written: 08/07/2008 07:59:05 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Downloader.MSCache in File: C:\Documents and Settings\Owner\Local Settings\Temp\DWHB674.tmp by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Event Record #/Type2820 / Error
Event Submitted/Written: 08/07/2008 07:58:58 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Downloader.Trojan in File: C:\Documents and Settings\Owner\Local Settings\Temp\DWH11C3.tmp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.

Event Record #/Type2819 / Error
Event Submitted/Written: 08/07/2008 07:58:50 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Downloader.Trojan in File: C:\Documents and Settings\Owner\Local Settings\Temp\DWH11C3.tmp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.

Event Record #/Type2807 / Error
Event Submitted/Written: 08/06/2008 07:32:29 PM
Event ID/Source: 13 / SescLU
Event Description:
LiveUpdate returned a non-critical error. Available content updates may have failed to install.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14523 / Error
Event Submitted/Written: 08/07/2008 08:32:49 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%10045

Event Record #/Type14507 / Error
Event Submitted/Written: 08/07/2008 07:44:45 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The SRTSP service depends on the following nonexistent service: FltMgr

Event Record #/Type14506 / Error
Event Submitted/Written: 08/07/2008 07:44:45 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The SRTSP service depends on the following nonexistent service: FltMgr

Event Record #/Type14504 / Error
Event Submitted/Written: 08/07/2008 07:44:45 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The SRTSP service depends on the following nonexistent service: FltMgr

Event Record #/Type14485 / Error
Event Submitted/Written: 08/06/2008 10:11:45 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
The SRTSP service depends on the following nonexistent service: FltMgr



-- End of Deckard's System Scanner: finished at 2008-08-08 06:59:58 ------------

Gregxpe
2008-08-08, 14:22
Just in case you needed this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:48 AM, on 8/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11066 bytes

Shaba
2008-08-08, 19:00
Open HijackThis, click do a system scan only and checkmark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {F574BF0D-F90E-EAA9-8761-EFC4AA5FF16E} - C:\WINDOWS\system32\sombzlmu.dll
O4 - HKLM\..\Run: [jbeschly] C:\WINDOWS\bbxpovzq.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [CIPVF] C:\WINDOWS\CIPVF.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xcafcqwz.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [RealPlayerv2] AIM1.EXE
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCA] c:\WINDOWS\System32\<frame src="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://searchportal.information.com?epl=00470015UVsPWVALXVUMVV8BXQsDVwhAE0MXXBkCDlgTWWddVVgCAlM">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

Close all windows including browser and press fix checked.

Reboot.

Delete if present:

C:\WINDOWS\system32\sombzlmu.dll

Empty Recycle Bin.

Re-run dss.

Post back a fresh dss log.

Gregxpe
2008-08-09, 02:46
I installed many security updates prior to running the DSS

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-08 19:28:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:53 PM, on 8/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6654 bytes

-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 19:04:08 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:04:07 171280 --a------ C:\WINDOWS\System32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:04:07 313856 --a------ C:\WINDOWS\System32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-08-08 19:04:07 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-08-08 19:04:00 113 --a------ C:\WINDOWS\System32\zonedon.reg
2008-08-08 19:04:00 113 --a------ C:\WINDOWS\System32\zonedoff.reg
2008-08-08 19:03:59 171792 --a------ C:\WINDOWS\System32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:59 286992 --a------ C:\WINDOWS\System32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:59 21264 --a------ C:\WINDOWS\System32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:58 947472 --a------ C:\WINDOWS\System32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:58 154384 --a------ C:\WINDOWS\System32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:58 172304 --a------ C:\WINDOWS\System32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:57 15120 --a------ C:\WINDOWS\System32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:57 404752 --a------ C:\WINDOWS\System32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:57 63248 --a------ C:\WINDOWS\System32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:56 187152 --a------ C:\WINDOWS\System32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-08 19:03:55 49424 --a------ C:\WINDOWS\System32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-08-06 21:09:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-06 21:09:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:09:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 19:18:45 0 d-------- C:\Program Files\Symantec
2008-08-04 18:28:10 0 d-------- C:\WINDOWS\System32\PreInstall
2008-08-04 18:28:09 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-04 18:27:17 0 d-------- C:\WINDOWS\System32\bits
2008-08-04 18:23:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-04 18:21:35 0 d-------- C:\WINDOWS\Prefetch
2008-08-04 18:15:58 0 d-------- C:\WINDOWS\ServicePackFiles
2008-08-04 18:15:58 0 d-------- C:\WINDOWS\ehome
2008-08-04 07:36:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-04 07:36:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-02 12:03:31 0 d-------- C:\Program Files\Trend Micro
2008-08-02 00:18:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-08-05 19:22:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-04 18:24:21 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-04 18:15:58 0 d-------- C:\Program Files\Messenger
2008-08-04 18:15:51 0 d-------- C:\Program Files\Movie Maker
2008-08-03 14:37:43 0 d-------- C:\Program Files\Common Files
2008-08-02 00:59:23 0 d-------- C:\Program Files\Sqwire
2008-08-02 00:58:32 0 d-------- C:\Program Files\DownloadWare
2008-08-02 00:57:20 0 d-------- C:\Program Files\Free Offers from Freeze.com
2008-08-02 00:15:07 14830 --ah----- C:\WINDOWS\System32\fiz0
2008-08-01 23:48:06 49 --a------ C:\WINDOWS\mads.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [12/13/2001 02:05 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [07/06/2001 11:56 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [12/19/2001 02:39 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/14/2002 01:25 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [03/12/2002 06:28 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [03/12/2002 06:20 AM]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [03/09/2002 07:53 PM C:\WINDOWS\system32\nwiz.exe]
"S3apphk"="S3apphk.exe" [03/16/2002 01:51 AM C:\WINDOWS\system32\S3apphk.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [03/28/2002 04:50 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [09/02/2002 06:01 PM]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [01/26/2002 04:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/29/2003 06:32 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/01/2008 01:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" []
"AIM"="C:\Program Files\AIM\aim.exe" [04/14/2004 05:45 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [8/29/2003 6:30:46 PM]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [8/29/2003 6:32:17 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-08-08 19:30:27 ------------

Gregxpe
2008-08-09, 02:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:51 PM, on 8/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\update\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6819 bytes

Shaba
2008-08-09, 12:23
Please make sure that all programs are closed when installing Java.

Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u7-windows-i586-p.exe to install Java.
After the Java installation has finished, please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Gregxpe
2008-08-09, 22:33
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 1 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 17:43:00
Records in database: 1075648
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 71663
Threat name: 10
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 01:42:16


File name / Threat name / Threats count
C:\Documents and Settings\Owner\My Documents\beachfree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e 1
C:\Documents and Settings\Owner\My Documents\beachfree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl 1
C:\Documents and Settings\Owner\winlogo.scr Infected: Trojan-Spy.Win32.Lodis.b 1
C:\Program Files\DownloadWare\Downloads\90.dat Infected: not-a-virus:AdWare.Win32.MediaPops.b 1
C:\Program Files\DownloadWare\Temp\me.exe Infected: not-a-virus:AdWare.Win32.MediaPops.b 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080808-184553-256.dll Infected: Trojan-Downloader.Win32.Agent.b 1
C:\Program Files\WildArcade\BlasterBlocks\blasterblocks.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.d 1
C:\Program Files\WildArcade\BlasterBlocks\blasterblocks.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.e 1
C:\WINDOWS\ieHook.dll Infected: Trojan-Spy.Win32.Lodis.b 1
C:\WINDOWS\system32\bS_L.dll Infected: Trojan-Downloader.Win32.Keenval 3
C:\WINDOWS\system32\bS_L.dll Infected: Trojan-Downloader.Win32.Keenval.e 2
C:\WINDOWS\system32\winlogo.scr Infected: Trojan-Spy.Win32.Lodis.b 1
C:\WINDOWS\system32\Xcite.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.m 1
C:\WINDOWS\system32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:37 PM, on 8/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7565 bytes

Shaba
2008-08-10, 12:16
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Documents and Settings\Owner\My Documents\beachfree.exe
C:\Documents and Settings\Owner\winlogo.scr
C:\Program Files\DownloadWare\Downloads\90.dat
C:\Program Files\DownloadWare\Temp\me.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080808-184553-256.dll
C:\Program Files\WildArcade\BlasterBlocks\blasterblocks.exe
C:\WINDOWS\ieHook.dll
C:\WINDOWS\system32\bS_L.dll
C:\WINDOWS\system32\winlogo.scr
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32\Xcite2.exe


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Gregxpe
2008-08-10, 17:42
C:\Documents and Settings\Owner\My Documents\beachfree.exe moved successfully.
C:\Documents and Settings\Owner\winlogo.scr moved successfully.
C:\Program Files\DownloadWare\Downloads\90.dat moved successfully.
C:\Program Files\DownloadWare\Temp\me.exe moved successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080808-184553-256.dll unregistered successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080808-184553-256.dll moved successfully.
C:\Program Files\WildArcade\BlasterBlocks\blasterblocks.exe moved successfully.
C:\WINDOWS\ieHook.dll unregistered successfully.
C:\WINDOWS\ieHook.dll moved successfully.
C:\WINDOWS\system32\bS_L.dll unregistered successfully.
C:\WINDOWS\system32\bS_L.dll moved successfully.
C:\WINDOWS\system32\winlogo.scr moved successfully.
C:\WINDOWS\system32\Xcite.dll unregistered successfully.
C:\WINDOWS\system32\Xcite.dll moved successfully.
C:\WINDOWS\system32\Xcite2.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08102008_103905

Shaba
2008-08-10, 19:10
Open HijackThis, click do a system scan only and checkmark these:

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O20 - AppInit_DLLs:

Close all windows including browser and press fix checked.

Reboot.

Delete if exists:

C:\Program Files\MarketBrowser

Empty Recycle Bin.

Download and install SP2 (http://www.microsoft.com/DownLoads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en)

Post back a fresh HijackThis log.

Gregxpe
2008-08-10, 22:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:03 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217888633296
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7274 bytes


I also get a screen a boot up that shows a red "I love Patrick" screen before the Windows screen comes up. I found a .bmp file in my documents that is the same screen but don't know what makes the screen come up.

Shaba
2008-08-11, 14:34
"I also get a screen a boot up that shows a red "I love Patrick" screen before the Windows screen comes up. I found a .bmp file in my documents that is the same screen but don't know what makes the screen come up."

Please delete it and post back after that :)

Gregxpe
2008-08-12, 05:18
Deleted. Looks better now. Below is a list of the add/remove software on the machine. Do you think I should uninstall any of these? For example IMBUM

Adobe Acrobat 5.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Instant Messenger
ArcSoft ShowBiz
ArcSoft Software Suite
Atomic Pop
DelFin Media Viewer
Diamond Mine 1.5y
Easy Internet Sign-up
Enhanced MediaLoads
Freedom Security && Privacy Suite
HijackThis 2.0.2
hp center
hp deskjet 3820 series (Remove only)
HP DLA
hp instant support
hp learning adventure
HP Memories Disc
HP Photo Printing Software
HP RecordNow
IMBUM
Inactive HP Printer Drivers (Remove only)
InetDctr
Intel(R) 845G Chipset Graphics Driver Software
InterActual Player
Java(TM) 6 Update 7
KBD
Lernout & Hauspie TruVoice American English TTS Engine
LiveUpdate 3.3 (Symantec Corporation)
Living Marine Aquarium Screen Saver
Malwarebytes' Anti-Malware
MediaLoads
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
QuickTime
RealPlayer Basic
RingMaster from Hewlett-Packard Desktops (remove only)
Security Update for Step By Step Interactive Training (KB898458)
Snood for Windows version 3.01-W
SoundMAX
Speedway
Spybot - Search & Destroy
Symantec Endpoint Protection
Tcl 8.0.5 for Windows
VERITAS StorageGuard
Viewpoint Media Player
WildArcade
Winamp3 (remove only)
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy

Shaba
2008-08-12, 11:12
IMBUM looks like to be OK.

But MediaLoads needs to go.

Any other issues?

Gregxpe
2008-08-12, 14:00
Seems to be running pretty good. I will do some more testing. I uninstalled Medialoads and Enhanced Medialoads. Should I worry about any of the folders left behind by these programs like Blubster, Downloadware, Filtergate, Snood, Sqwire? Thank you very much for all your help.

Shaba
2008-08-12, 15:24
Blubster and Downloadware are bad, rest are good.

Still other issues? :)

Gregxpe
2008-08-13, 03:53
Question on USB Mass Storage - Usually when I request to safely remove a device a message pops up saying "you can now remove the device" but no message appears. Could this be fixed or not worry about it? Should I update from IE 6 to 7? Should I create a new restore point and clear old restore points?

Gregxpe
2008-08-13, 07:12
I ran the Malwarebytes scan and it detected the Medialoads registry entry and I removed it. I ran another Kaspersky scan and it only found the items in OTmoveit2. Should I start the OTmoveit2 software and deleted the items captured?

Shaba
2008-08-13, 11:07
"Could this be fixed or not worry about it? Should I update from IE 6 to 7? Should I create a new restore point and clear old restore points?"

That might be a bug. It there has been no data loss I wouldn't be worried. Yes I recommend to update IE. Restore will be flushed during final instructions.

"Should I start the OTmoveit2 software and deleted the items captured? "

Those will be also deleted during final instructions :)

Gregxpe
2008-08-13, 14:44
Upgraded to IE 7. Ready for final instructions.

Shaba
2008-08-13, 15:06
Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)


Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Gregxpe
2008-08-14, 06:19
The Combfix command did not work. I don't think I used Combofix. I used DSS. Do I need to do anything with this? I created a new restore point and ran OTcleanit. All seems great.
Does it hurt to have SpyBlaster and Spybot with immunization on the same machine or just use one of them. Also is it okay to use MalwareBytes regularly?

Shaba
2008-08-14, 11:10
Yes, you are right.

We didn't use combofix, my bad :oops:

"I used DSS. Do I need to do anything with this? "

OtCleanIt should have deleted it; if not please delete it :)

"Does it hurt to have SpyBlaster and Spybot with immunization on the same machine or just use one of them."

Both can be used.

"Also is it okay to use MalwareBytes regularly? "

Absolutely :)

Shaba
2008-08-16, 11:48
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.