PDA

View Full Version : Malware, spyQuard, fraud


Nihal
2006-08-31, 14:56
i hope i do this right! (i appreciate any help you could give me :)
this is the exact problem I’m having:
"Symptoms:
Fake anti spyware programs popup a screen over the desktop and/or a balloon popup from the windows tray area; displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.

It is installed on your computer via a Trojan that issues fake security alerts and downloads/installs the software. The Rogue program is hoping to scare the infected users into purchasing the full commercial version."

Logfile of HijackThis v1.99.1
Scan saved at 3:51:59 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TopSearch\TopSearch.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\EbatesMoeMoneyMaker4\EbatesMoeMoneyMaker.exe
C:\Program Files\Common Files\{75A175BE-03E2-1033-0531-050503030001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SSEMBL~1\ati2evxx.exe
C:\PROGRA~1\COMMON~1\kmwf\kmwfm.exe
C:\PROGRA~1\COMMON~1\kmwf\kmwfa.exe
C:\WINDOWS\TEMP\idd7F.tmp.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10301&ttid=104
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpEE76.tmp (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: (no name) - {A5520C59-D7D2-110E-15B4-83573862EF5A} - C:\DOCUME~1\MELISS~1\APPLIC~1\DOWNLO~1\Flap love.exe
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2911] "C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe" -nag
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Mail Third Hope Support] C:\Documents and Settings\All Users\Application Data\Acenurbmailthird\fragdate.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] "C:\Program Files\EbatesMoeMoneyMaker4\EbatesMoeMoneyMaker.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hope surf] C:\DOCUME~1\MELISS~1\APPLIC~1\SENDSE~1\date open.exe
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\SSEMBL~1\ati2evxx.exe" -vt yazr
O4 - HKCU\..\Run: [kmwf] C:\PROGRA~1\COMMON~1\kmwf\kmwfm.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Product Registration.lnk = D:\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Melissa Cagle\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe



SmitFraudFix v2.82

Scan done at 15:52:29.39, Thu 08/31/2006
Run from C:\Documents and Settings\Melissa Cagle\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\urroxtl.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Melissa Cagle\Application Data

C:\Documents and Settings\Melissa Cagle\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MELISS~1\FAVORI~1

C:\DOCUME~1\MELISS~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Safety Bar\ FOUND !
C:\Program Files\SpywareQuake\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_CLASSES_ROOT\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\stickrep.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2006-08-31, 15:44
Welcome to the forum, seems you found the instructions to run the SmitfraudFix search function. You are infected so skip that part and follow the rest of the instruction here:
http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.

Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.

Thanks...pskelley

Safer Networking Forums
If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/
Nihal
2006-09-01, 22:54
i have fallowed the list but i'm still getting popups, :( an i am not eactly sure if it is free of infection since i have no idea of how to read the lists. Here they are:
(Thank you for your help i appreciate it.)

Logfile of HijackThis v1.99.1
Scan saved at 11:37:00 PM, on 9/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe (is this something bad?)
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: (no name) - {A5520C59-D7D2-110E-15B4-83573862EF5A} - C:\DOCUME~1\MELISS~1\APPLIC~1\DOWNLO~1\Flap love.exe
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2911] "C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe" -nag
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Mail Third Hope Support] C:\Documents and Settings\All Users\Application Data\Acenurbmailthird\fragdate.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hope surf] C:\DOCUME~1\MELISS~1\APPLIC~1\SENDSE~1\date open.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Product Registration.lnk = D:\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Melissa Cagle\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

(How can i find out which ones to delete?)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:08:26 PM 9/1/2006

+ Scan result:



C:\SWSETUP\SYMNSC\02\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\16\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\37\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\AR\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\BR\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\CH\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\CS\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\DK\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\FI\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\FR\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\GK\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\GR\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\HU\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\IL\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\IT\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\JP\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\KR\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\NL\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\NO\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\PL\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\PT\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\RU\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\SE\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\SP\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\TR\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\TW\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\TZ\LURegWMI.exe -> Adware.Dm : Cleaned with backup (quarantined).
C:\SWSETUP\SYMNSC\US\LUREGWMI.EXE -> Adware.Dm : Cleaned with backup (quarantined).
HKU\S-1-5-21-4103170905-1678554770-1593895170-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-4103170905-1678554770-1593895170-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Cowabanga\Cowabanga.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHUpdater.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab/NHUpdater.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab/NHelper.dll -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab/navapp.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper -> Adware.NavExcel : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NavExcel -> Adware.NavExcel : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NavExcel\NavHelper -> Adware.NavExcel : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NavExcel\NavHelper\v2.0.4d -> Adware.NavExcel : Cleaned with backup (quarantined).
Nihal
2006-09-01, 22:55
C:\WINDOWS\АppPatch\nоpdb.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\EbatesMoeMoneyMaker4\e10350.exe -> Adware.Rebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888 -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\Activate.exe -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\Uninst.exe -> Adware.ToolBar888 : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\system32\actskn45.ocx -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\аssembly\ati2evxx.exe -> Downloader.PurityScan.da : Cleaned with backup (quarantined).
C:\Program Files\Common Files\kmwf\kmwfp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\kmwf\kmwfa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Program Files\Common Files\kmwf\kmwfm.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\Program Files\Common Files\kmwf\kmwfl.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.20:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.6:C:\Documents and Settings\Melissa Cagle\Application Data\Netscape\NSB\Profiles\bs1shj6o.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\Temp\idd107.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd11C.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd13.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd14.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd14A.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd16.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd17.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd18.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd19.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd2.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd20.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd207.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd21A.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd23.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd230.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd246.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd25.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd25C.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd27.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd274.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd28.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd28A.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd29.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd2A.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd36E.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd4.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd42.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd46.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd54.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd5F.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd79.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd797.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd7D.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd8.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd80.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd81.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd83.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd84.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd8A.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd8D.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd8E.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd8F.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd96.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd9B.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddA0.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddA2.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddA5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddA7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddAC.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddAE.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB1.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB2.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB3.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB6.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB9.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddBC.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC2.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC4.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC6.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddC7.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddD.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddDD.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddDE.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddDF.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE1.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE4.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddE5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddF.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddF2.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddF3.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddF5.tmp.exe -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win12.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win16.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winB.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winE.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{75A175BE-03E2-1033-0531-050503030001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end
pskelley
2006-09-01, 23:10
Thanks for returning you information, I suggest patience, these infections are rarely as easy to get off as they were to get on.

You have posted the HJT log and ewido scan report, where is the SmitfraudFix report from when you ran the clean function?
Slow down a little, read and follow the directions carefully, this is your computer you are fooling with.

http://siri.geekstogo.com/SmitfraudFix.php
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click smitfraudfix.cmd
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post that SmitfraudFix report, we have a way to go. You would be wise to keep this computer offline until it is clean, this junk will attract more junk.

Thanks
Nihal
2006-09-01, 23:40
i knew i had forgotten to post something. :P i also did the restored the trusted zones,oh and i do not use SpywareBlaster
here it is my report:
Logfile of HijackThis v1.99.1
Scan saved at 4:43:42 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

SmitFraudFix v2.82

Scan done at 0:19:42.82, Sat 09/02/2006
Run from C:\Documents and Settings\Melissa Cagle\Desktop\help\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2006-09-01, 23:53
Thanks for that information, here comes the fun part. Please be careful and do not rush, this is technical work you are doing.

Please follow these directions carefully and in the posted order.

C:\WINDOWS\system32\winlogon.exe (is this something bad?)
No it is not, malware can infect any file, that's why we train to know what is bad, without that file your programs could not log on.

I also see remnants of a LOP infection caused by downloading sponsor program with MessengerPlus. You just uninstall that program?

Instructions start here:

1) did you place these items in your Hosts file? If you did, ignore the instructions to remove them, if you did not, check and remove them as suggested.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Follow these instruction to delete this file: C:\WINDOWS\SYSTEM32\winetn32.dll
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file:
C:\WINDOWS\SYSTEM32\winetn32.dll
and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

5) Start> Control Panel > Add Remove Programs and uninstall C2Media/LOP, ToolBar888, WinFixer, TopSearch, NavExcel and any other program you know does not belong there. If you are not sure, let me know and I will look.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: (no name) - {A5520C59-D7D2-110E-15B4-83573862EF5A} - C:\DOCUME~1\MELISS~1\APPLIC~1\DOWNLO~1\Flap love.exe
(LOP above)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
(this next toolbar is missing a file and not working, install it again if you use it once we are finished)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2911] "C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe" -nag
(above is a real nasty, did someone download this??)
O4 - HKLM\..\Run: [Mail Third Hope Support] C:\Documents and Settings\All Users\Application Data\Acenurbmailthird\fragdate.exe
(LOP)
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKCU\..\Run: [hope surf] C:\DOCUME~1\MELISS~1\APPLIC~1\SENDSE~1\date open.exe
(LOP)
O4 - Startup: Product Registration.lnk = D:\ATR1.EXE
(if you have not registered this product, do so and remove this item)
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\DOCUMENT AND SETTINGS~1\MELISS~1\APPLICATION DATA~1\SENDSE~1\ <<< delete that folder

C:\Documents and Settings\All Users\Application Data\Acenurbmailthird\ <<< delete that folder

C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe <<< delete that file

C:\Program Files\NavExcel\ <<< delete that folder

C:\Program Files\TopSearch\ <<< delete that folder

C:\WINDOWS\SYSTEM32\winetn32.dll <<< delete that file (probably be gone, just don't miss it)

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log along with any comments you think will help.

Thanks
Nihal
2006-09-02, 01:14
Quote:
C:\WINDOWS\system32\winlogon.exe (is this something bad?)
No it is not, malware can infect any file, that's why we train to know what is bad, without that file your programs could not log on.

Thank you, it just looked a little odd. 



I also see remnants of a LOP infection caused by downloading sponsor program with MessengerPlus. You just uninstall that program?

I uninstalled MessengerPlus a couple of months ago. I checked the add/remove programs and I could not find any remains.


O4 - HKLM\..\Run: [NI.UWFX5_0001_N57M2911] "C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe" -nag
(above is a real nasty, did someone download this??)

C:\Documents and Settings\Melissa Cagle\Desktop\WinFixerScannerInstall.exe <<< delete that file

Unfortunately I have no idea and I could not find the second one following the link. Perhaps when the first one was deleted so was the second one?

Oh and when I was of the internet (because you told me to keep off if I could help it.) my Symantec antivirus program found a Trojan Horse in this file: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP249
It was Quarantined and deleted right after, but I wonder if I should be on the look out for more?
Because my Symantec does not help for some reason when I run scans on my computer every Sunday afternoon. It can not viruses when a scan is run, but it sometimes finds them when I turn my computer on. (Realtime protection finds them.)

Is this all? Or can I run more scans on my computer to locate any remaining problems and would you direct me to programs that could help?
(And can I turn my computers adsl safely on now?)

Thank you so much.



Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:47 AM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Melissa Cagle\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
pskelley
2006-09-02, 01:32
my Symantec antivirus program found a Trojan Horse in this file: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP249
That is your System Restore files and we will clean then before we are finished. See this:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
The only way the bad stuff that is backed up in System Restore can get back on the computer is if you use the program to restore the computer.

Your HJT log looks good, great job:bigthumb: I see one issue, Java needs an update, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

and one questions, what is this item: O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Melissa Cagle\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
My search turns up this: http://www.imvu.com/catalog/web_index_new.php?osCsid=5f2923b04ad081eac73f94b61210f8df but I don't see the program, could you find out if it was uninstalled. If so, then use HJT to remove that extra button.

These infections have possible corrupted your security programs, so you want to check each one. Update and run your antivirus program, make sure it runs ok. If you have any issues with it, consult Symantec Tech Support. Check your firewall. Open the Security Center in the Control Panel and make sure all three items are green for go.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

If you get to this point and all is well, then you are good to go. tashi:) will close your topic in a few day.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
tashi
2006-09-05, 01:17
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers. :)