Need help cleaning up system-here is HJT logfile

Unknown · February 2005

I ran adaware and spybot, here is HJT logfile, please advise.

Thanks,
Andrea

Logfile of HijackThis v1.99.1
Scan saved at 7:50:15 PM, on 2/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\atitvo32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Mike\Application Data\usus.exe
C:\WINDOWS\system32\t?skmgr.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {464891E9-5229-72AA-7BE4-7295C3A2DC98} - C:\WINDOWS\system32\epdrhoml.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {2A141840-27AC-444C-9110-D306F861AA90} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [4.exe] C:\Documents and Settings\Mike\Local Settings\Temp\4.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\system32\atitvo32.exe
O4 - HKLM\..\Run: [tojzmt] c:\windows\system32\tojzmt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IESecurity] C:\Program Files\IESecurity\IESecurity.exe
O4 - HKCU\..\Run: [Tcpp] C:\Documents and Settings\Mike\Application Data\usus.exe
O4 - HKCU\..\Run: [Ohdtq] C:\WINDOWS\system32\t?skmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.americawest.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.armls.com
O15 - Trusted Zone: *.ati.com
O15 - Trusted Zone: *.atitech.com
O15 - Trusted Zone: http://www.ci.gilbert.az.us
O15 - Trusted Zone: *.az.us
O15 - Trusted Zone: *.bfast.com
O15 - Trusted Zone: *.C:
O15 - Trusted Zone: *.cartoonnetwork.com
O15 - Trusted Zone: *.cirquedusoleil.com
O15 - Trusted Zone: *.couponsense.com
O15 - Trusted Zone: *.despair.com
O15 - Trusted Zone: *.down.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.easports.com
O15 - Trusted Zone: *.easportsbig.com
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.esisnet.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://www.guildmagic.com
O15 - Trusted Zone: *.harley-davidson.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.irobotmovie.com
O15 - Trusted Zone: *.jibjab.com
O15 - Trusted Zone: *.joecartoon.com
O15 - Trusted Zone: *.lds.org
O15 - Trusted Zone: *.ldscatalog.com
O15 - Trusted Zone: *.luxor.com
O15 - Trusted Zone: *.mac.com
O15 - Trusted Zone: *.magelo.com
O15 - Trusted Zone: http://www.megaproxy.com
O15 - Trusted Zone: http://content.health.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.neopets.com
O15 - Trusted Zone: *.nvidia.com
O15 - Trusted Zone: *.ozomatli.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.playerauctions.com
O15 - Trusted Zone: *.playstation.com
O15 - Trusted Zone: *.rustedroot.com
O15 - Trusted Zone: *.shockwave.com
O15 - Trusted Zone: *.sony.com
O15 - Trusted Zone: *.sonystyle.com
O15 - Trusted Zone: *.srpcuaz.org
O15 - Trusted Zone: *.surefit.net
O15 - Trusted Zone: http://www.time.gov
O15 - Trusted Zone: *.time.gov
O15 - Trusted Zone: *.toteme.com
O15 - Trusted Zone: *.unconquered.org
O15 - Trusted Zone: *.upcominghorrormovies.com
O15 - Trusted Zone: *.vanhelsing.net
O15 - Trusted Zone: http://www.visualtour.com
O15 - Trusted Zone: *.yamaha-motor.com
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN_XP.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup131.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Crunchie · February 2005

Try the PurityScan uninstaller.

Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this scan at Panda as well.

Reboot and post another log and we will fix the leftovers manually.

guppymom · March 2005

OK, I ran the scans you suggested.

Here is the list of files that could not be disinfected by Panda.

Incident Status Location

Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\atitvo32.exe
Adware:Adware/eZula No disinfected C:\ezStub.exe
Spyware:Spyware/ISTbar No disinfected C:\DOCUME~1\Mike\LOCALS~1\Temp\iinstall.exe
Adware:Adware/PurityScan No disinfected C:\buddy.exe
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\stlbdist.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\downloaded program files\setup.inf
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/StatBlaster No disinfected C:\Program Files\Media\Media
Spyware:Spyware/ShopNav No disinfected C:\superbar files
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Hotbar No disinfected C:\WINDOWS\downloaded program files\winhot32.inf
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Mike\Application Data\Lycos
Adware:Adware/IEDriver No disinfected C:\Program Files\MaxSpeed
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\downloaded program files\initial.inf
Adware:Adware/ClockSync No disinfected C:\Program Files\ClockSync
Adware:Adware/SuperSpider No disinfected Windows Registry
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\lmf32v.dll
Adware:Adware/Transponder No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Buddy.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mike\Application Data\usus.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mike\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Mike\Local Settings\Temp\buddy.exe
Adware:Adware/IEDriver No disinfected C:\Documents and Settings\Mike\Local Settings\Temp\ckzd8eb\Files\sx.htm
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Mike\Local Settings\Temp\DrTemp\thin-140-1-x-x.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Mike\Local Settings\Temp\iinstall.exe
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\6NZEO8GL\exe1[1].exe
Adware:Adware/eZula No disinfected C:\ezStub.exe
Adware:Adware/PurityScan No disinfected C:\install-tag001.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\ceres.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\Downloaded Program Files\initial.inf
Adware:Adware/Hotbar No disinfected C:\WINDOWS\Downloaded Program Files\winhot32.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\asferror.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\atitvo32.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\ceutil37.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\epdrhoml.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\lmf32v.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\PreUninstall.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\uninst.exe
And here is the new HJT log after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 12:53:54 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\atitvo32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2A141840-27AC-444C-9110-D306F861AA90} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [4.exe] C:\Documents and Settings\Mike\Local Settings\Temp\4.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\system32\atitvo32.exe
O4 - HKLM\..\Run: [tojzmt] c:\windows\system32\tojzmt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IESecurity] C:\Program Files\IESecurity\IESecurity.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.americawest.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.armls.com
O15 - Trusted Zone: *.ati.com
O15 - Trusted Zone: *.atitech.com
O15 - Trusted Zone: http://www.ci.gilbert.az.us
O15 - Trusted Zone: *.az.us
O15 - Trusted Zone: *.bfast.com
O15 - Trusted Zone: *.C:
O15 - Trusted Zone: *.cartoonnetwork.com
O15 - Trusted Zone: *.cirquedusoleil.com
O15 - Trusted Zone: *.couponsense.com
O15 - Trusted Zone: *.despair.com
O15 - Trusted Zone: *.down.net
O15 - Trusted Zone: *.ea.com
O15 - Trusted Zone: *.easports.com
O15 - Trusted Zone: *.easportsbig.com
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.esisnet.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://www.guildmagic.com
O15 - Trusted Zone: *.harley-davidson.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.irobotmovie.com
O15 - Trusted Zone: *.jibjab.com
O15 - Trusted Zone: *.joecartoon.com
O15 - Trusted Zone: *.lds.org
O15 - Trusted Zone: *.ldscatalog.com
O15 - Trusted Zone: *.luxor.com
O15 - Trusted Zone: *.mac.com
O15 - Trusted Zone: *.magelo.com
O15 - Trusted Zone: http://www.megaproxy.com
O15 - Trusted Zone: http://content.health.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.neopets.com
O15 - Trusted Zone: *.nvidia.com
O15 - Trusted Zone: *.ozomatli.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.playerauctions.com
O15 - Trusted Zone: *.playstation.com
O15 - Trusted Zone: *.rustedroot.com
O15 - Trusted Zone: *.shockwave.com
O15 - Trusted Zone: *.sony.com
O15 - Trusted Zone: *.sonystyle.com
O15 - Trusted Zone: *.srpcuaz.org
O15 - Trusted Zone: *.surefit.net
O15 - Trusted Zone: http://www.time.gov
O15 - Trusted Zone: *.time.gov
O15 - Trusted Zone: *.toteme.com
O15 - Trusted Zone: *.unconquered.org
O15 - Trusted Zone: *.upcominghorrormovies.com
O15 - Trusted Zone: *.vanhelsing.net
O15 - Trusted Zone: http://www.visualtour.com
O15 - Trusted Zone: *.yamaha-motor.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN_XP.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup131.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thanks again.

Andrea

Crunchie · March 2005

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
C:\WINDOWS\system32\atitvo32.exe

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm

O3 - Toolbar: (no name) - {2A141840-27AC-444C-9110-D306F861AA90} - (no file)

O4 - HKLM\..\Run: [4.exe] C:\Documents and Settings\Mike\Local Settings\Temp\4.exe
O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\system32\atitvo32.exe
O4 - HKLM\..\Run: [tojzmt] c:\windows\system32\tojzmt.exe
O4 - HKCU\..\Run: [IESecurity] C:\Program Files\IESecurity\IESecurity.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)

O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binari...ice_3_EN_XP.cab
Electronic-Group Dialer
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
iSearch Toolbar
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
AdPopper
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
SpiderSearch Hijacker

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\Documents and Settings\Mike\Local Settings\Temp----folder contents
C:\Program Files\IESecurity----folder
C:\Program Files\couponsandoffers----folder
C:\Documents and Settings\Mike\Application Data\Lycos----folder
C:\Program Files\MaxSpeed----folder
C:\Program Files\ClockSync----folder
C:\Program Files\Media----folder
C:\superbar files----folder
C:\WINDOWS\bsx32----folder

C:\WINDOWS\system32\atitvo32.exe----file
c:\windows\system32\tojzmt.exe----file
C:\ezStub.exe----file
C:\buddy.exe----file
C:\WINDOWS\system32\stlbdist.dll----file
C:\WINDOWS\CERES.DLL----file
C:\WINDOWS\downloaded program files\setup.inf----file
C:\WINDOWS\downloaded program files\winhot32.inf----file
C:\WINDOWS\system32\lmf32v.dll----file
C:\Buddy.exe----file
C:\Documents and Settings\Mike\Application Data\usus.exe----file
C:\install-tag001.exe----file
C:\WINDOWS\Buddy.exe----file
C:\WINDOWS\Downloaded Program Files\initial.inf----file
C:\WINDOWS\inf\ceres.inf----file
C:\WINDOWS\system32\asferror.exe----file
C:\WINDOWS\system32\ceutil37.exe----file
C:\WINDOWS\system32\epdrhoml.dll----file
C:\WINDOWS\system32\PreUninstall.exe----file
C:\WINDOWS\system32\uninst.exe----file

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Need help cleaning up system-here is HJT logfile

Comments