Brooke - Log 01

[Brooke]

Tarun, Since I followed your procedures rather than those prescribed at Malwarebytes, I'm posting here. My thread there is http://www.malwarebytes.org/forums/index.p...&#entry2172.

(Would you prefer these logfiles as attachments?)

Logfile of HijackThis v1.99.1

Scan saved at 8:52:01 AM, on 2/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

C:\PROGRA~2\AVG7~1.5AN\avgamsvr.exe

C:\PROGRA~2\AVG7~1.5AN\avgupsvc.exe

C:\PROGRA~2\AVG7~1.5AN\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programs - added\Picasa2\PicasaMediaDetector.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe

C:\Programs - added\iTunes 7\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~2\AVG7~1.5AN\avgcc.exe

C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctpmon.exe

C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe

C:\WINDOWS\system32\ctpmon.exe

C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Program Files\TM1184\ControlUtility\ControlUtility.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Programs - added\NaviScope\naviscope.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Programs - added\SpyBot Search and Destroy 1.4\SpybotSD.exe

C:\PROGRA~2\AVG7~1.5AN\avgw.exe

C:\Program Files\HijackThis 1.99.0.1\analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll

O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll

O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll

O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"

O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe" /logon

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\AVG7~1.5AN\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe /monitor

O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

O4 - Global Startup: Dell Control Utility.lnk = ?

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...55/sdcregie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab

O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - http://www.o2c.de/download/O2CPlayer.CAB

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - http://preview.digiphoart4evergreen.photos...oadBox_live.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

[Tarun]

At first glance I see a few issues. You have two anti-virus programs running. You should uninstall AVG Free Anti-Virus.

Just to check, you've run all of the scans in the Anti-Malware package?

This file could be a source of problems. O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

You should also check your Hosts file. it can be found in %SystemRoot%\system32\drivers\etc\ and you may need to right-click it and remove the Read-Only status.

Do a search for ctpmon and once found you should delete it. If you are unable to delete it; you should use a program like Unlocker or FileASSASSIN.

Should you need further assistance eradicating this parasite just post back and let us know. :happybday:

[Brooke]

DONE - uninstall AVG Free Anti-Virus.

YES - you've run all of the scans in the Anti-Malware package?

This file could be a source of problems. O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32

Do a search for ctpmon and once found you should delete it. If you are unable to delete it; you should use a program like Unlocker or FileASSASSIN.

Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle.

You should also check your Hosts file. it can be found in %SystemRoot%\system32\drivers\etc\ and you may need to right-click it and remove the Read-Only status.

What do I do with the hosts file?

[Tarun]

Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32

It's possible the file was hidden or certain search parameters were not able to find it as they may not have been selected. You found it though.

Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle.

Was Unlocker able to delete it?

What do I do with the hosts file?

Paste your Hosts file contents here in a codebox using the codebox BBCode.

You will want to run SmitFraudFix which can be found here, along with instructions.

[Brooke]

Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32

It's possible the file was hidden or certain search parameters were not able to find it as they may not have been selected. You found it though.

I only mentioned that because I have probs with Windows search. There were no params listed, just find the file.ext on C: looking everywhere. Sometimes I do a search for files modified in some time period up to present, then do some work and do the search again assuming it would return previously listed files plus newly modified ones but it says no files found.. just a wee bit off-topic.

Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle.

Was Unlocker able to delete it?

Unlocker nailed it on re-boot!!!! I can't find it in the directory; the icon is not there. Whoooppeeee.

FYI: When I tried to fileassassin it before, it seemed to replicate itself, apparently unnecessarily as it never was assassinated...until reboot.

What do I do with the hosts file?

Paste your Hosts file contents here in a codebox using the codebox BBCode.

I pasted the new hosts file below.

You will want to run SmitFraudFix which can be found here, along with instructions.

I had run smitfraudfix before. Did you see recurring signs of smitfraud?

Brooke-hosts-01:

 


127.0.0.1       localhost

127.0.0.1	bleepingcomputer.com

127.0.0.1	www.bleepingcomputer.com

127.0.0.1	boskak.za.net

127.0.0.1	bullguard.com

127.0.0.1	www.bullguard.com

127.0.0.1	castlecops.com

127.0.0.1	www.castlecops.com

127.0.0.1	cleanup.stevengould.org

127.0.0.1	compu-docs.com

127.0.0.1	www.compu-docs.com


127.0.0.1	depannetonpc.net

127.0.0.1	www.depannetonpc.net

127.0.0.1	download.bleepingcomputer.com

127.0.0.1	ewido.net

127.0.0.1	www.ewido.net

127.0.0.1	fileinfo.prevx.com

127.0.0.1	forum.arovax.com

127.0.0.1	forum.idg.pl

127.0.0.1	forums.digitaltrends.com

127.0.0.1	forums.spybot.info


127.0.0.1	forums.techguy.org

127.0.0.1	forums.tomcoyote.org

127.0.0.1	forums.us.dell.com

127.0.0.1	greyknight17.com

127.0.0.1	www.greyknight17.com

127.0.0.1	help.lockergnome.com

127.0.0.1	infos-du-net.com

127.0.0.1	www.infos-du-net.com

127.0.0.1	innovative-sol.com

127.0.0.1	www.innovative-sol.com


127.0.0.1	mytechsupport.ca

127.0.0.1	www.mytechsupport.ca


127.0.0.1	research.sunbelt-software.com

127.0.0.1	siri.urz.free.fr

127.0.0.1	spywareinfo.dk

127.0.0.1	www.spywareinfo.dk

127.0.0.1	stevengould.org

127.0.0.1	www.stevengould.org

127.0.0.1	superantispyware.com

127.0.0.1	www.superantispyware.com


127.0.0.1	www.techsupportforum.com


#RogueRemover PRO Immunization Start


# [b]about 1409 entries here [/b]#


#RogueRemover PRO Immunization End

# Start of entries inserted by Spybot - Search & Destroy

# End of entries inserted by Spybot - Search & Destroy

[Tarun]

Yes, I did see a recurrence of SmitFraud. The source of your tray icon was a malicious registry cleaning software.

You will need to clean your Hosts file. Below you may copy the contents into your Hosts file and save it.

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#102.54.94.97 rhino.acme.com # source server

#38.25.63.10 x.acme.com # x client host


127.0.0.1 localhost

You will want to replace everything in your current Hosts file with the one above.

Afterwards, you will want to reimmunize and change all 127.0.0.1 entries to 0.0.0.0 except for the localhost entry.

If you need any help, just let us know. :happybday:

[Brooke]

My prescription:

• 1. run smitfraudfix.
  

• 2. replace hosts file as below.
  

• 3. reimmunize with RogueRemover.
  

• 4. edit hosts file, changing all 127.0.0.1 entries to 0.0.0.0 except for the localhost entry.
  

Meanwhile, thanks very much, Tarun. I won't gush about the lump in my gut, still present, which this issue has given me, and from which you have at some future point I hope, set me free.

[Brooke]

Well...I may have re-opened some door. My malady has returned.

I remembered running smitfraudfix and it having said it found nothing, but I went to root c: to see if I could find its report (rapport.txt). It was not there but two unknown exe files were: rhlj and lcfdx, and another -858939365, no extension.. In the process of searching for info on them I may have dbl clicked one. The file modified dates are identical and right about when I became infected.

I'll try to get back to where I was moments ago......

[Brooke]

OK, Back to where I was, fairly clean...still wondering about those c:\ files. They remain.

Re-deleted offender ctpmon at boot and ran smitfraudfix search and then clean at safe boot. It sems to have edited the hosts file as you advised, so that is done. RougeRemover Pro has been updated and a scan done, both automatically and manually: it says the system is immunized.

Looking for a rootkit scanner as per smitfraudfix advice: "huy32 detected, use a Rootkit scanner." Thoughts on that one? Searches turn up "gmer." http://www.gmer.net/index.php

[Tarun]

Here's the one I rely on. Rootkit Revealer

[Brooke]

RootkitRevealer hung twice on cleanup, or appeared to. Second run got further and exited OK. Allowed a log save, as follows:

HKU\S-1-5-21-4275444482-3655707654-1986034232-1005\RemoteAccess\InternetProfile 8/2/2004 1:16 PM 21 bytes Data mismatch between Windows API and raw hive data.

HKLM\SECURITY\Policy\Secrets\SAC* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/7/2007 10:26 AM 80 bytes Data mismatch between Windows API and raw hive data.

C:\System Volume Information\catalog.wci0010001.ci 2/7/2007 10:32 AM 44.00 KB Visible in directory index, but not Windows API or MFT.

C:\System Volume Information\catalog.wci0010001.dir 2/7/2007 10:32 AM 682 bytes Visible in directory index, but not Windows API or MFT.

C:\System Volume Information\catalog.wci\CiFLfffc.000 2/7/2007 9:46 AM 240 bytes Visible in Windows API, MFT, but not in directory index.

C:\System Volume Information\catalog.wci\CiFLfffc.001 2/7/2007 9:46 AM 64.00 KB Visible in Windows API, MFT, but not in directory index.

C:\System Volume Information\catalog.wci\CiFLfffc.002 2/7/2007 9:46 AM 64.00 KB Visible in Windows API, MFT, but not in directory index.

C:\System Volume Information\catalog.wci\CiFLfffd.000 2/7/2007 10:32 AM 240 bytes Visible in directory index, but not Windows API or MFT.

C:\System Volume Information\catalog.wci\CiFLfffd.001 2/7/2007 10:32 AM 64.00 KB Visible in directory index, but not Windows API or MFT.

C:\System Volume Information\catalog.wci\CiFLfffd.002 2/7/2007 10:32 AM 64.00 KB Visible in directory index, but not Windows API or MFT.

Also ran gmer, which showed huy32sys presence and was scanning when came the blue screen: "BAD_POOL_HEADER"

[Tarun]

I don't see anything malicious in the RootkitRevealer results. Try F-Secure Blacklight as a second check.

[Brooke]

Will do.

Gmer finished the second time.

Log:

GMER 1.0.12.12027 - [url="http://www.gmer.net"]http://www.gmer.net[/url]

Rootkit scan 2007-02-07 13:43:36

Windows 5.1.2600 Service Pack 2



---- System - GMER 1.0.12 ----


SSDT      \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys                   ZwOpenProcess

SSDT      \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys                   ZwTerminateProcess


INT 0x06  \??\C:\WINDOWS\System32\drivers\Haspnt.sys                              A944416D

INT 0x0E  \??\C:\WINDOWS\System32\drivers\Haspnt.sys                              A9443FC2


SYSENTER  \??\C:\WINDOWS\System32:huy32.sys                                       A9D66BCC


Code      \??\C:\WINDOWS\System32:huy32.sys                                       pIofCallDriver


---- Kernel code sections - GMER 1.0.12 ----


.text     ntoskrnl.exe!Kei386EoiHelper + 4E0                                      804DF53C 3 Bytes  [ BD, C5, 6C ]

.text     tcpip.sys!IPTransmit + 10B7                                             A9C48CFA 6 Bytes  CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys

.text     tcpip.sys!IPTransmit + 24D9                                             A9C4A11C 6 Bytes  CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys

.text     tcpip.sys!IPTransmit + 4662                                             A9C4C2A5 6 Bytes  CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys

.text     wanarp.sys                                                              BA76F3FD 7 Bytes  CALL A9D6899F \??\C:\WINDOWS\System32:huy32.sys


---- User code sections - GMER 1.0.12 ----


.text     C:\WINDOWS\explorer.exe[1768] SHELL32.dll!SHFileOperationW              7CA6FB3E 5 Bytes  JMP 00B31102 C:\Program Files\Unlocker\UnlockerHook.dll


---- Devices - GMER 1.0.12 ----


Device    \Driver\aksusb \Device000007f IRP_MJ_CREATE                           [A9AE825F] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_CLOSE                            [A9AE825F] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_DEVICE_CONTROL                   [A9AE73FD] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_INTERNAL_DEVICE_CONTROL          [A9AE7573] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_POWER                            [A9AE847F] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_SYSTEM_CONTROL                   [A9AE8061] AKSCLASS.SYS

Device    \Driver\aksusb \Device000007f IRP_MJ_PNP                              [A9AE8F15] AKSCLASS.SYS


---- Services - GMER 1.0.12 ----


Service   C:\WINDOWS\System32:huy32.sys (*** hidden *** )                         [SYSTEM] huy32                                                              <-- ROOTKIT !!!


---- Registry - GMER 1.0.12 ----


Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32                   

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32\Security          

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32\Enum              

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32                   

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32\Security          

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type              1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start             1

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl      0

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath         \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName       Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group             Base

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam          0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked           1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32               

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type          1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start         1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl  0

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath     \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName   Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group         Base

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam      0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked       1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type          1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start         1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl  0

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath     \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName   Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group         Base

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam      0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked       1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32\Security      

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type          1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start         1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl  0

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath     \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName   Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group         Base

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam      0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked       1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32\Enum          

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type          1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start         1

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl  0

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath     \??\C:\WINDOWS\System32:huy32.sys

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName   Win23 lzx files loader

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group         Base

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam      0xB0 0xFE 0x46 0x1A ...

Reg       \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked       1


---- Files - GMER 1.0.12 ----


ADS       C:\WINDOWS\SYSTEM32:huy32.sys                                                                                                                       <-- ROOTKIT !!!


---- EOF - GMER 1.0.12 ----

[Tarun]

Your infection is a Rustok.B infection. Here's a couple removal tools.

Rustbfix

RegRun Reanimator

Unzip it to any folder. Installation is not required.

1. Open reanimator.exe.
   
2. Click on the "Remove Rustock Rootkit".
   
3. You will be prompted for using "RootkitNO" utility.
   
4. Run it!
   
5. You will be prompted to restart your computer.
   
6. After restarting the Rustock file will be removed using Partizan.
   

After finishing removal process you may remove Partizan from your Windows boot.

Click on the "UnInstall Partizan" button.

Also you can delete "RootkitNo" folder from your drive where installed the Windows.

[Brooke]

I did the rustbfix since I saw it at TC for a similar (to the ignorant) huy32 issue.

Current pelog.txt:

************************* Rustock.b-fix -- By ejvindh *************************

Wed 02/07/2007 15:27:09.43

******************* Pre-run Status of system *******************

Rootkit driver huy32 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:

:huy32.sys 70570

Total size: 70570 bytes.

Attempting to remove ADS...

system32: deleted 70570 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:

No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:

No Rustock.b-files found in system32

******************************* End of Logfile ********************************

Current avenger.txt:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\kkecmjqx

*******************

Script file located at: \??\C:\Documents and Settings\lkudutco.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver huy32 unloaded successfully.

Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Current hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 3:49:22 PM, on 2/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe

C:\Programs - added\iTunes 7\iTunesHelper.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

C:\Program Files\TM1184\ControlUtility\ControlUtility.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Programs - added\NaviScope\naviscope.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programs - added\IrView 3.95\i_view32.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\SurMixer.exe

C:\Programs - added\EditPad 5.2\EditPad.exe

C:\Program Files\HijackThis 1.99.0.1\analyze.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll

O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll

O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll

O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"

O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe" /logon

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe /monitor

O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

O4 - Global Startup: Dell Control Utility.lnk = ?

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url=http://go.microsoft.com/fwlink/?linkid=39204]http://go.microsoft.com/fwlink/?linkid=39204[/url]

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url=https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab]https://secure.stamps.com/download/us/regis...55/sdcregie.cab[/url]

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url=http://www.snapfish.com/SnapfishActivia.cab]http://www.snapfish.com/SnapfishActivia.cab[/url]

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url=http://download.bitdefender.com/resources/scan8/oscan8.cab]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url=http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107468058468]http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468[/url]

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - [url=https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab]https://java.sun.com/products/plugin/autodl...indows-i586.cab[/url]

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - [url=http://www.costcophotocenter.com/CostcoUpload.cab]http://www.costcophotocenter.com/CostcoUpload.cab[/url]

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url=https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB]https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url=http://web1.shutterfly.com/downloads/Uploader.cab]http://web1.shutterfly.com/downloads/Uploader.cab[/url]

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url=http://www.crucial.com/controls/cpcScanner.cab]http://www.crucial.com/controls/cpcScanner.cab[/url]

O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - [url=http://www.o2c.de/download/o2cplayer.cab]http://www.o2c.de/download/o2cplayer.cab[/url]

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url=http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab]http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab[/url]

O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - [url=http://www.o2c.de/download/O2CPlayer.CAB]http://www.o2c.de/download/O2CPlayer.CAB[/url]

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - [url=http://www.photoworks.com/pixami/DragDropUploader.cab]http://www.photoworks.com/pixami/DragDropUploader.cab[/url]

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - [url=https://www-secure.symantec.com/techsupp/activedata/SymAData.cab]https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab[/url]

O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - [url=http://preview.digiphoart4evergreen.photosite.com/~site/UploadBox/UploadBox_live.cab]http://preview.digiphoart4evergreen.photos...oadBox_live.cab[/url]

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

Through due diligence, perhaps a brighter tomorrow.

[Tarun]

Sorry about the delay in replying Brooke.

Have you encountered any other issues?

[Brooke]

Thanks, no, no new issues.

Those odd files are still in root C: two exes: rhlj and lcfdx, and another -858939365, no extension. The file modified dates are identical and right about when I became infected. Direct virus and spyware scans of them show nothing. Unless you advise otherwise I will delete.

I was hoping you would look at the jht log file below if you did not look at the one above. But I really don't know what that entails and it is long and I am having no known issues.

Logfile of HijackThis v1.99.1

Scan saved at 5:51:48 PM, on 2/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programs - added\Picasa2\PicasaMediaDetector.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe

C:\Programs - added\iTunes 7\iTunesHelper.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe

C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Programs - added\SWFPrinterPro\swfpagent.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Programs - added\RougeRemoverPRO 1.05\RogueRemoverPRO.exe

C:\Programs - added\utilities\ProcessLibrary\qaccess.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Program Files\TM1184\ControlUtility\ControlUtility.exe

C:\Program Files\Google\Google Updater\GoogleUpdater.exe

C:\Programs - added\NaviScope\naviscope.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WksCal.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Programs - added\EditPad 5.2\EditPad.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis 1.99.0.1\analyze.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll

O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll

O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"

O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe" /logon

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [SWF Printer Agent] "C:\Programs - added\SWFPrinterPro\swfpagent.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.05\RogueRemoverPRO.exe /monitor

O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Programs - added\utilities\ProcessLibrary\qaccess.exe" /startup

O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

O4 - Global Startup: Dell Control Utility.lnk = ?

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]

O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url="https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab"]https://secure.stamps.com/download/us/regis...55/sdcregie.cab[/url]

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url="http://www.snapfish.com/SnapfishActivia.cab"]http://www.snapfish.com/SnapfishActivia.cab[/url]

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url="http://download.bitdefender.com/resources/scan8/oscan8.cab"]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107468058468"]http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468[/url]

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - [url="http://www.costcophotocenter.com/CostcoUpload.cab"]http://www.costcophotocenter.com/CostcoUpload.cab[/url]

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url="https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB"]https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url]

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url="http://www.crucial.com/controls/cpcScanner.cab"]http://www.crucial.com/controls/cpcScanner.cab[/url]

O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - [url="http://www.o2c.de/download/o2cplayer.cab"]http://www.o2c.de/download/o2cplayer.cab[/url]

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url="http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab"]http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab[/url]

O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - [url="http://www.o2c.de/download/O2CPlayer.CAB"]http://www.o2c.de/download/O2CPlayer.CAB[/url]

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - [url="http://www.photoworks.com/pixami/DragDropUploader.cab"]http://www.photoworks.com/pixami/DragDropUploader.cab[/url]

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - [url="https://www-secure.symantec.com/techsupp/activedata/SymAData.cab"]https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab[/url]

O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - [url="http://preview.digiphoart4evergreen.photosite.com/~site/UploadBox/UploadBox_live.cab"]http://preview.digiphoart4evergreen.photos...oadBox_live.cab[/url]

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

Thanks very much for your help.

[Tarun]

Generated by Tarun's HijackThis Converter v0.50 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81

Created extra registry value where only one should be

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Enumeration of existing IE's BHO's

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll

O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL

O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"

O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe" /logon

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.05\RogueRemoverPRO.exe /monitor

O4 - HKCU\..\Run: [uniblue Quick Access] "C:\Programs - added\utilities\ProcessLibrary\qaccess.exe" /startup

O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

O4 - Global Startup: Dell Control Utility.lnk = ?

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

Disabling of "Internet Options" Main tab with Policies

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Extra IE context menu items

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html

O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html

O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html

Extra "Tools" menu items and buttons

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

IE plugins for file extensions or MIME types

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

Trusted Zone Autoadd

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

Downloaded Program Files item

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab

O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - http://www.o2c.de/download/O2CPlayer.CAB

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - http://preview.digiphoart4evergreen.photos...oadBox_live.cab

AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

Suggestions:

- Uninstall Adobe Reader and get Foxit Reader.

- Uninstall things like Google Desktop Search, Google Toolbar and any other toolbar that is installed.

- Uninstall things like RealPlayer and Quicktime. Instead use the K-Lite Mega Codec Pack.

- If you don't have an iPod and only use iTunes to listen to mp3s, consider switching to something like musikcube or another nice freeware software that has a lot of functionality.

- Update Internet Explorer to version 7. There are many bugfixes and security improvements.

[Brooke]

Uh, duh...Thanks.

I'll check HJT for leads on dealing with the red items and try to digest the others as well.

Obviously you've considered adding boilerplate recommendations for these things but decided against including them.

A little later.......Reading returns from googling your log analysis implies all items (red and blue) should be removed with HJT.

Please confirm and thanks, again.

[Tarun]

Yeah, you can remove them safely with HijackThis. :happybday: