Trojan.Zonebac Please Help

Unknown · January 2007

Hello All,
I have noticed I have been having some problems with a computer for the past few days. I cannot log into AIM also my Systantec Antivirus and Norton Personal Firewall are not showing up in the task window on my toolbar. I am also unable to perform a system restore and some websites I cannot visit, I get an unable to connect to that site window. When I look in my history is shows 88.80.5.21 and I have not visited that site.
I've tried running Adware, Spybot, and I've update my Spyware Blaster. Also, Symantec Antivirus could not find anything on a scan. I also tried running it in Safe Mode. Symantec's website defines this as Trojan.Zonebac, I did what Symantec suggested to remove with no results. Nothing was changed in the registry like they suggested. Below is the hijackthis log, anyone that can help i'd really apprechiate it!!!!

Logfile of HijackThis v1.99.1
Scan saved at 11:28:17 AM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jeffersonambulance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108161078\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MedtronicDataTransmitter 1.1.0] "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\MedtronicDataTransmitter.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Crunchie · January 2007

Please download and install AVG antispyware tool

Close all other Applications Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait and AVG antispyware will open to the main screen automatically.
Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
This is very important to get updates
When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight
Select the first option, to run Windows in Safe Mode hit enter.
For additional help in booting into Safe Mode, see the following site: HERE

You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

Run AVG antispyware.
Click on scanner at top of AVG antispyware sceen.
Click on Settings.
Under How to Act click on Recommended Action and choose Quarantine.
Under How to scan all boxes should be selected.
Under Possibly unwanted software all boxes should be selected.
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file.
Click On scan Tab.
Click on Complete system scan.
Let the program scan the machine It can take awhile give it time.
When scan has finished at bottom of screen click Apply all Actions.
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop.
Click Save.
Exit AVG antispyware.

Reboot back to normal mode.
Post the log here.

jc29ems · January 2007

I ran into a problem when I tried to update. The manual update would not work. I got an error.

Crunchie · January 2007

And the error was? Try updating again as the server may have been busy.

jc29ems · January 2007

Sorry for the delay. I wasn't around that computer to get the exact message. I have been having the problem since I installed AVG a few days ago when I was trying to fix the problem myself. The error message is"Errpr: Failed to connect to server update,ewido,net" I tried doing the manual update and I still get it. (, = . [I was not able to post a period])

My guess is it has something to do with the virus since I can't visit some websites. Now I am not sure if it is trojan.zonebac, that is just what I found out when doing research on 88.80.5.21 in the history. Now I did go ahead into the internet settings and restrict that IP address under security and also privacy. Since I have done that, I haven't seen that adress in my history.

Let me know what else we could try. If it will work, I can install AVG on another computer that is on the same network and run it off that computer on the infected computer if that is at all possible. I'm not too fimular with running programs on different computers like that. Thanks again for the help.

JC

Crunchie · January 2007

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

jc29ems · January 2007

Here are the results:

"Silent Runners.vbs", revision R50,
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"FlashPlayerUpdate" = "C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" ["Adobe Systems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"VTTimer" = "VTTimer.exe" [file not found]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Web assistant"
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS]

Startup items in "Compaq_Owner" & "All Users" startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"OKI LPR Utility" -> shortcut to: "C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe" ["Oki Data Corporation"]

Enabled Scheduled Tasks:

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = (no title provided)
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
"CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" ["IE Toolbar"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "PostNotCached" = "res://ieframe.dll/repost.htm" [MS]
<<H>> "NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [MS]
<<H>> "NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [MS]
<<H>> "SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [MS]
<<H>> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["AOL LLC"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
DCS Loader, DCSLoader, "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE" ["Oki Data Corporation"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""c:\Program Files\Common Files\LightScribe\LSSrvc.exe"" [empty string]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""c:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
OKI HiperC Language Monitor2\Driver = "OPDMN014.DLL" ["Okidata Corporation"]
OKI LPR Port\Driver = "oklprmon.dll" ["Oki Data Corporation"]

<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.

(total run time: 42 seconds, including 6 seconds for message boxes)

Crunchie · January 2007

Not seeing anything in that log either. Are you able to update AVG yet, or run it at all?

jc29ems · January 2007

I can run it but that is without updating it. Should I try taking the sites I blocked (88.80.5.21) out of the blocked internet settings?

Crunchie · January 2007

Try running it first and see what it finds, then unblock the site and rescan with hijackthis and post the log.

jc29ems · January 2007

Didn't have much luck with the scan. I also attached a copy of the new hijack this log. In my origional post, I included the first hijack log, not sure if there is going to be any difference.

AVG Anti-Spyware - Scan Report

+ Created at: 7:34:47 PM 1/22/2007

+ Scan result:

C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 7:40:46 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jeffersonambulance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Crunchie · January 2007

Still not seeing anything

.

Please visit the following site and run this online trojan scanner

TrojanScan

==

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract
All,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log

jc29ems · January 2007

I ran the scan with the online scan and attached you'll find the results.

Also are the results of SDFix and also a new hijackthis log.

If it helps at all, here are some problems I am having to hopefully help with the diagnosis. Norton Personal Firewall and AIM won't startup. Symantec Antivirus doesn't show in the taskbar but will start if you run it manually. When you right click Symantec Antivirus tries to configures. I get the message: Please wait while windows configures Samantec Antivirus. If you go to AOL,com and go under mail the frame to log in I cannot see. I have the famous internet explorer window "This page cannot be (can't see the rest of the message).."

Trojan Scan

a-squared Free - Version 2

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 1/23/2007 12:21:23 PM

Scanned

Files: 170210
Traces: 94609
Cookies: 13
Processes: 39

Found

Files: 3
Traces: 30
Cookies: 1
Processes: 0

Scan end: 1/23/2007 12:57:24 PM
Scan time: 12:36:01 AM

Above is the report, it would not save the results so I typed them out below. I did not take any action with any of the findings below:

riskware.nettool.win32.calc-seti@home.b
file: c:\windows\regini.exe
riskware.risktool.win32.processor.20
file: c:\ documents and settings\compaq_owner\desktop\sdfix.zip/sdfix.exe/process.exe
riskware.risktool.win32.pskill.p
file: c:\hp\bin\killwind.exe
trace.directory.weatherbug
trace: c:\program files\aws\weatherbug
trace.registry.searchnet toolbar
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> autocomplete
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> autoupdatemsg
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> blockpopups
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> closeallwindowsforupdate
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> connectionerror
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> contextmenuitemname
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> corruptedmsg
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> descriptivetext
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> firsttime
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> firsturl
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> keephistory
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> lastversionmsg
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> opennew
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> runsearchautomatically
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> runsearchdragautomatically
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> scope
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> serverpath
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> showfindbuttons
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> showhighlightbutton
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> toolbar_version
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> toolbarisfailed
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> uninstallmsg
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> updateautomatically
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> updatemsg
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> updateurl
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> urlafteruninstall
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> urlafterupdate
trace: value: hkey_current_user\software\besttoolbars\ietoolbar --> versionerror

trace.registry.weatherbug
trace: value: hkey_current_user\software\microsoft\windows\currentversion\explorer\menuorder\start menu2\programs\weatherbug --> Or
trace.trackingcookie
cookie: c:\documents and settings\compaq_owner\cookies\compaq_owner@bravenet[2].txt

SDFix Log

SDFix: Version 1.62

Tue 01/23/2007 - 13:55:02.40

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Files Found..

Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1108161078\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1108161078\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\1108161078\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1108161078\\EE\\aolsoftware.exe:*:Enabled:AOL Services"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Documents and Settings\Compaq_Owner\NetHood\ftp.healthwaresolutions.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\Program Files\America Online 9.0a\AOLphx.exe
C:\Program Files\America Online 9.0a\rbm.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 3:20:00 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jeffersonambulance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Crunchie · January 2007

Let's try something else and then I will go and request some assistance from one of our other experts here who may have more luck than me

.

Run hijackthis and hit the Open the Misc Tools Section and then the Open Uninstall Manager.

Then hit the Save List button. Save to the desktop for easy access. Open the log file and copy the entire list and paste it here please.

===========

Copy the bold text below and paste it into notepad. Save it to your desktop as find.bat and make sure type is set to All Files.

cd\
cd Program Files
DIR /AD /B /P > ProgramFiles.txt
start ProgramFiles.txt
cls
exit

Double click find.bat and let it run for a minute. It will open up a report in notepad. Please copy that text and post it here in your next reply.

jc29ems · January 2007

Here are the results:

Uninstall List:

Ad-Aware SE Personal
Adobe Reader 7.0.8
Agere Systems PCI Soft Modem
AIM 6.0
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Spyware Protection
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AVG Anti-Spyware 7.5
Biphasic LIFEPAK 500 AED - V6.0 - Software Update
CC_ccProxyMSI
CC_ccStart
ccCommon
CODE 3 FOR WINDOWS
Compaq Connections
Compaq Organize
Crystal Reports for .NET Framework 2.0 (x86)
Easy Internet Sign-up
EMS Pennsylvania Export Module
EMS Pennsylvania Export Update
EMS Solution 2000 Version 5.7
Google Toolbar for Internet Explorer
Help and Support Additions
HijackThis 1.99.1
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
KBD
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Merriam-Webster 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Access 2000 SR-1 Runtime
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
MSRedist
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton Personal Firewall (Symantec Corporation)
Norton Security Center
NVIDIA GART Driver
OKI LPR Utility
Panda ActiveScan
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
RecAll AudioCapture
Security Update for Step By Step Interactive Training (KB898458)
SiS VGA Utilities
Sonic Express Labeler
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10

Find.bat

Adobe
AIM6
America Online 9.0
America Online 9.0a
AOD
AOL
AOL Companion
AOL Deskbar
AOL Toolbar
AWS
BackWeb
Common Files
Compaq Connections
ComPlus Applications
Easy Internet signup
Google
Grisoft
Help and Support Additions
Hewlett-Packard
InstallShield Installation Information
Internet Explorer
InterVideo
iPod
iTunes
Java
Lavasoft
Learn2.com
Medtronic Emergency Response Systems
Merriam-Webster
Messenger
Microsoft ActiveSync
Microsoft AntiSpyware
microsoft frontpage
Microsoft Office
Microsoft Plus! Digital Media Edition
Microsoft Plus! Photo Story 2 LE
Microsoft Visual Studio
Microsoft Works
Microsoft.NET
Movie Maker
MSN
MSN Encarta Standard
MSN Gaming Zone
National Instruments
NetMeeting
Norton Personal Firewall
OfficeUpdate11
Okidata
Online Services
Outlook Express
PC-Doctor for Windows
Pure Networks
QuickTime
Real
RecAll
SiS VGA Utilities V3.63
Snapshot Viewer
Snooper
Sonic
Sonic RecordNow!
Spybot - Search & Destroy
SpywareBlaster
Symantec
Symantec AntiVirus
SymNetDrv
Uninstall Information
Viewpoint
Windows Defender
Windows Media Player
Windows NT
WindowsUpdate
xerox

Trogan · January 2007

Hi jc29ems!

I'm not seeing much from your logs either.

Can you do the following...

1. I'd like to scan a file:

Go to VirusTotal
Copy and paste the following file path into the Search Box at the top of the page:
c:\windows\regini.exe

[*]Click on the Send button
[*]Save a copy of the results and post them in your next reply.
2. Download this file to your Desktop - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. Post the scan results and ComboFix log back here.

Also, when was the last time you visited Windows Update? I don't see any Security updates or Hotfixes.

jc29ems · January 2007

Here are the results. I visit windows update on a regular basis, I have them setup to automatically install. I did go and try to manually install updates and I got an error message. I have posted it below.

Microsoft Windows Update Error

[Error number: 0x80240004]
The website has encountered a problem and cannot display the page you are trying to view. Take the following steps to try solving the problem:
Refresh the page.
In Internet Explorer, delete your Temporary Internet Files by going to the Tools menu and clicking Internet Options.
Close and then re-open Internet Explorer.

If these steps don’t work, try visiting the site later or using the resources provided below.
For self-help options:

Frequently Asked Questions
Find Solutions
Windows Update Newsgroup
For assisted support options:
Microsoft Online Assisted Support (no-cost for update-related issues)

VirusTotal Log

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.

Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.

STATUS: FINISHEDComplete scanning result of "regini.exe", received in VirusTotal at 01.25.2007, 12:47:31 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.26 01.25.2007 no virus found
Authentium 4.93.8 01.24.2007 no virus found
Avast 4.7.936.0 01.24.2007 no virus found
AVG 386 01.24.2007 no virus found
BitDefender 7.2 01.25.2007 no virus found
CAT-QuickHeal 9.00 01.25.2007 no virus found
ClamAV devel-20060426 01.25.2007 no virus found
DrWeb 4.33 01.25.2007 no virus found
eSafe 7.0.14.0 01.24.2007 no virus found
eTrust-InoculateIT 23.73.123 01.25.2007 no virus found
eTrust-Vet 30.3.3349 01.25.2007 no virus found
Ewido 4.0 01.24.2007 no virus found
Fortinet 2.85.0.0 01.24.2007 no virus found
F-Prot 3.16f 01.23.2007 no virus found
F-Prot4 4.2.1.29 01.23.2007 no virus found
Ikarus T3.1.0.27 01.25.2007 no virus found
Kaspersky 4.0.2.24 01.25.2007 no virus found
McAfee 4948 01.24.2007 no virus found
Microsoft 1.1904 01.25.2007 no virus found
NOD32v2 2004 01.24.2007 no virus found
Norman 5.80.02 01.25.2007 no virus found
Panda 9.0.0.4 01.25.2007 no virus found
Prevx1 V2 01.25.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.22.2007 no virus found
TheHacker 6.0.3.156 01.25.2007 no virus found
UNA 1.83 01.24.2007 no virus found
VBA32 3.11.2 01.24.2007 no virus found
VirusBuster 4.3.19:9 01.24.2007 no virus found

Aditional Information
File size: 67344 bytes
MD5: 2fa909f06e3e1c83706ae748f610c04c
SHA1: 6d697dbf72a8897d4312c03a581865f0f5690519

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español

www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

ComboFix Log

"Compaq_Owner" - 07-01-25 6:42:45 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))

2007-01-23 13:52 <DIR> d

C:\SDFix
2007-01-18 14:20 <DIR> d

C:\WINDOWS\system32\ActiveScan
2007-01-17 13:26 3,968 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-17 13:26 <DIR> d

C:\Program Files\Grisoft
2007-01-03 19:53 <DIR> d

C:\WINDOWS\system32\bak
2007-01-03 19:53 <DIR> d

C:\WINDOWS\system\bak
2006-12-31 10:55 <DIR> d

C:\Program Files\Windows Defender
2006-12-31 10:49 <DIR> d

C:\WINDOWS\system32\appmgmt

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-24 21:45

d

C:\Program Files\Common Files\symantec shared
2007-01-24 10:52 1159 --a

C:\Program Files\programfiles.txt
2007-01-23 15:04

d

C:\Program Files\symantec antivirus
2007-01-18 14:40

d

C:\Program Files\quicktime
2007-01-18 14:39

d

C:\Program Files\norton personal firewall
2007-01-18 14:36

d

C:\Program Files\itunes
2007-01-18 14:35

d

C:\Program Files\google
2007-01-18 14:34

d-a

C:\Program Files\Common Files\lightscribe
2007-01-18 14:33

d

C:\Program Files\america online 9.0
2007-01-18 14:30

d

C:\Program Files\aim6
2007-01-17 10:55

d

C:\Program Files\symantec
2007-01-16 18:01

d

C:\Program Files\spywareblaster
2007-01-16 17:39

d

C:\DOCUME~1\COMPAQ~1\Application Data\adobeum
2007-01-15 20:01

d

C:\Program Files\java
2007-01-15 19:19

d---s---- C:\DOCUME~1\COMPAQ~1\Application Data\microsoft
2007-01-12 21:12

d

C:\Program Files\symnetdrv
2007-01-05 09:46 590 --a

C:\DOCUME~1\COMPAQ~1\Application Data\wklnhst.dat
2006-12-13 11:58

d

C:\Program Files\Common Files\aol
2006-12-12 17:23

d

C:\DOCUME~1\COMPAQ~1\Application Data\aim
2006-12-12 14:22

d

C:\DOCUME~1\COMPAQ~1\Application Data\acccore
2006-11-16 11:44 103984 --a

C:\WINDOWS\system32\aoldial.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"VTTimer"="VTTimer.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"AGRSMMSG"="AGRSMMSG.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-25 6:44:42

Trogan · January 2007

I think I know what the problem may be. I had a feeling about this and the ComboFix log is showing what infection you might have.

Please download this file to your Desktop and run it.

FindAWF

It will produce a log. Please post that here.

jc29ems · January 2007

Here are the results:

FindAWF

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 10:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/04/2004 09:38 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/22/2004 01:01 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

12/30/2004 02:19 PM 120,640 VPTray.exe
1 File(s) 120,640 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

11/06/2005 06:12 PM 111,840 SNDMon.exe
1 File(s) 111,840 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 06:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
08/21/2004 12:55 AM 155,648 igfxtray.exe
09/12/2003 10:13 PM 98,304 ps2.exe
3 File(s) 269,312 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/13/2004 03:30 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\MEDTRO~1\BIPHAS~1.0-S\BAK

09/01/2006 08:57 AM 86,016 MedtronicDataTransmitter.exe
1 File(s) 86,016 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 07:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\DW\BAK

04/25/2005 12:45 PM 36,040 dwtrig20.exe
1 File(s) 36,040 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/22/2004 12:31 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 10:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

10/12/2006 03:10 AM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\110816~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Jan 16 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Oct 22 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
120640 Dec 30 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
95960 Jan 16 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
111840 Nov 6 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE"
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86016 Sep 1 2006 "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\bak\MedtronicDataTransmitter.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
34832 Nov 10 2003 "C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE"
36040 Apr 25 2005 "C:\Program Files\Common Files\Microsoft Shared\DW\bak\dwtrig20.exe"
34880 Jul 15 2003 "C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DWTRIG20.EXE"
34880 Oct 5 2006 "C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\DWTRIG20.EXE"
180269 Oct 22 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Oct 21 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1108161078\EE\bak\AOLSoftware.exe"

end of report

Trogan · January 2007

Hi jc29ems!

Please do the following...

1. Download these files to your Desktop. Right-click and select Save Links As (in Firefox) or Save Target As (in IE) to download them.

Don't do anything with them yet!

2. Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

if exist "C:\hp\KBD\KBD.EXE" del /q "C:\hp\KBD\KBD.EXE"
copy /y "C:\hp\KBD\bak\KBD.EXE" "C:\hp\KBD\KBD.EXE"

if exist "C:\Program Files\AIM6\aim6.exe" del /q "C:\Program Files\AIM6\aim6.exe"
copy /y "C:\Program Files\AIM6\bak\aim6.exe" "C:\Program Files\AIM6\aim6.exe"

if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\iTunesHelper.exe"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"

if exist "C:\Program Files\Symantec AntiVirus\VPTray.exe" del /q "C:\Program Files\Symantec AntiVirus\VPTray.exe"
copy /y "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe" "C:\Program Files\Symantec AntiVirus\VPTray.exe"

if exist "C:\Program Files\SymNetDrv\SNDMon.exe" del /q "C:\Program Files\SymNetDrv\SNDMon.exe"
copy /y "C:\Program Files\SymNetDrv\bak\SNDMon.exe" "C:\Program Files\SymNetDrv\SNDMon.exe"

if exist "C:\Program Files\Windows Defender\MSASCui.exe" del /q "C:\Program Files\Windows Defender\MSASCui.exe"
copy /y "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\Program Files\Windows Defender\MSASCui.exe"

if exist "C:\WINDOWS\SMINST\RECGUARD.EXE" del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"
copy /y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST\RECGUARD.EXE"

if exist "C:\WINDOWS\system\hpsysdrv.exe" del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"

if exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe"
copy /y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"

if exist "C:\WINDOWS\system32\igfxtray.exe" del /q "C:\WINDOWS\system32\igfxtray.exe"
copy /y "C:\WINDOWS\system32\bak\igfxtray.exe" "C:\WINDOWS\system32\igfxtray.exe"

if exist "C:\WINDOWS\system32\ps2.exe" del /q "C:\WINDOWS\system32\ps2.exe"
copy /y "C:\WINDOWS\system32\bak\ps2.exe" "C:\WINDOWS\system32\ps2.exe"

if exist "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" del /q "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
copy /y "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe" "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"

if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

if exist "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\MedtronicDataTransmitter.exe" del /q "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\MedtronicDataTransmitter.exe"
copy /y "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\bak\MedtronicDataTransmitter.exe" "C:\Program Files\Medtronic Emergency Response Systems\Biphasic LIFEPAK 500 AED - V6.0 - Software Update\MedtronicDataTransmitter.exe"

if exist "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" del /q "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
copy /y "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe" "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"

if exist "C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe" del /q "C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe"
copy /y "C:\Program Files\Common Files\Microsoft Shared\DW\bak\dwtrig20.exe" "C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

if exist "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" del /q "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
copy /y "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"

if exist "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.5.0_09\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

if exist "C:\Program Files\Common Files\AOL\1108161078\EE\AOLSoftware.exe" del /q "C:\Program Files\Common Files\AOL\1108161078\EE\AOLSoftware.exe"
copy /y "C:\Program Files\Common Files\AOL\1108161078\EE\bak\AOLSoftware.exe" "C:\Program Files\Common Files\AOL\1108161078\EE\AOLSoftware.exe"

Go to File > Save As
Save File name as "Fix.bat" (including quotes)
Save the file to your Desktop

Don't do anything with this yet!

3. Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

4. Once in Safe Mode, locate Fix.bat on your Desktop and double-click it. A black box will open and close quickly - that is normal!

5. Reboot back into Normal Mode

6. Locate the two files you downloaded earlier...

For DelDomains.inf..

Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.

For ResetProtocolDefaults.reg...

Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.

7. Reboot the computer and post a new HijackThis log.

jc29ems · January 2007

Heres the results:

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 6:57:18 PM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169725716547
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Trogan · January 2007

How the is the computer currently?

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop. 3. Post the Kaspersky log, along with a new HijackThis log.

jc29ems · January 2007

Here ya go. Computer still appears to be running the same, I cannot visit those websites that I described to you earlier and also Symantec Antivirus still isn't showing in the taskbar and neither is Nortons Personal Firewall. I didn't notice anything different.

Kaspersky Log

KASPERSKY ONLINE SCANNER REPORT
Friday, January 26, 2007 8:26:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/01/2007
Kaspersky Anti-Virus database records: 262782

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 68978
Number of viruses found 1
Number of infected objects 1 / 0
Number of suspicious objects 0
Duration of the scan process 00:47:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02d7e13349e3f61d928043aca2cbac34_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d6d15b311bea5309c5b67cbbbbd5e95_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e0fd98dd08c6a4437d01c1a557f1980_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2349f064b79686aa6713655d39906b55_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3535d7d13f795eae2a5c43ba2cfd6161_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ddcc8dc4cebabb4f187054c7031b01f_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\82b5e8e74dbe543e1632571cd0e199ac_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a8b017dfc6d0ae4759b357d16fd28483_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bec2ae7e51c4498727bf84bd704cc49f_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c857f73929de4d2194ef37a4d4a8fb16_e2f1fb30-b0fa-41cd-aa29-ed49e4c84733 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12312006-105538.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012007012620070127\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\JET6C90.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF4050.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF41EB.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72CD.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72D6.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72DF.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72E8.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72F1.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF72FA.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF7303.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF730C.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF7315.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF737F.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF7388.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF7392.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF73A1.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF73AA.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF7B77.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\EMS2001.5\Archive\Pcr Archive.ldb Object is locked skipped

C:\EMS2001.5\Archive\Pcr Archive.mdb Object is locked skipped

C:\EMS2001.5\Code\Codes System.ldb Object is locked skipped

C:\EMS2001.5\Code\Codes System.mdb Object is locked skipped

C:\EMS2001.5\Data\Pcr Data.ldb Object is locked skipped

C:\EMS2001.5\Data\Pcr Data.mdb Object is locked skipped

C:\EMS2001.5\Data\Pcr Local.ldb Object is locked skipped

C:\EMS2001.5\Data\Pcr Local.mdb Object is locked skipped

C:\EMS2001.5\Data\Pcr Personnel.ldb Object is locked skipped

C:\EMS2001.5\Data\Pcr Personnel.mdb Object is locked skipped

C:\EMS2001.5\EMS Library v5.ldb Object is locked skipped

C:\EMS2001.5\EMS Library v5.mde Object is locked skipped

C:\EMS2001.5\EMS Solution.ldb Object is locked skipped

C:\EMS2001.5\EMS Solution.mde Object is locked skipped

C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\System\SYSTEM.ldb Object is locked skipped

C:\Program Files\Common Files\System\SYSTEM.MDW Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{2C1CF970-3A05-4C67-AE34-ACA1F50EC253}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINEMS\DATA\BULLETIN.DBF Object is locked skipped

C:\WINEMS\DATA\BULLETIN.FPT Object is locked skipped

C:\WINEMS\DATA\CONTALPH.IDX Object is locked skipped

C:\WINEMS\DATA\CONTROL.DBF Object is locked skipped

C:\WINEMS\DATA\CONTROL.IDX Object is locked skipped

C:\WINEMS\DATA\EMPLALPH.IDX Object is locked skipped

C:\WINEMS\DATA\employee.DBF Object is locked skipped

C:\WINEMS\DATA\EMPLOYEE.IDX Object is locked skipped

C:\WINEMS\DATA\EMPLPASS.IDX Object is locked skipped

C:\WINEMS\DATA\GEOGALPH.IDX Object is locked skipped

C:\WINEMS\DATA\GEOGRAPH.DBF Object is locked skipped

C:\WINEMS\DATA\GEOGRAPH.IDX Object is locked skipped

C:\WINEMS\DATA\HOSPALPH.IDX Object is locked skipped

C:\WINEMS\DATA\HOSPITAL.DBF Object is locked skipped

C:\WINEMS\DATA\HOSPITAL.IDX Object is locked skipped

C:\WINEMS\DATA\INSUALPH.IDX Object is locked skipped

C:\WINEMS\DATA\insuranc.DBF Object is locked skipped

C:\WINEMS\DATA\INSURANC.IDX Object is locked skipped

C:\WINEMS\DATA\MEDICATI.DBF Object is locked skipped

C:\WINEMS\DATA\MEDICATI.IDX Object is locked skipped

C:\WINEMS\DATA\PENN1.CDX Object is locked skipped

C:\WINEMS\DATA\penn1.dbf Object is locked skipped

C:\WINEMS\DATA\PENN1.FPT Object is locked skipped

C:\WINEMS\DATA\penn2.dbf Object is locked skipped

C:\WINEMS\DATA\PENN2.IDX Object is locked skipped

C:\WINEMS\DATA\penn3.dbf Object is locked skipped

C:\WINEMS\DATA\PENN3.IDX Object is locked skipped

C:\WINEMS\DATA\penn4.dbf Object is locked skipped

C:\WINEMS\DATA\PENN4.IDX Object is locked skipped

C:\WINEMS\DATA\PENNSYLV.DBC Object is locked skipped

C:\WINEMS\DATA\PENNSYLV.DCT Object is locked skipped

C:\WINEMS\DATA\pennsylv.DCX Object is locked skipped

C:\WINEMS\DATA\PHMX.DBF Object is locked skipped

C:\WINEMS\DATA\PHMXALPH.IDX Object is locked skipped

C:\WINEMS\DATA\PHYSALPH.IDX Object is locked skipped

C:\WINEMS\DATA\PHYSICIA.DBF Object is locked skipped

C:\WINEMS\DATA\PHYSICIA.IDX Object is locked skipped

C:\WINEMS\DATA\SETTINGS.DBF Object is locked skipped

C:\WINEMS\DATA\SUBSCRI1.IDX Object is locked skipped

C:\WINEMS\DATA\SUBSCRIP.DBF Object is locked skipped

C:\WINEMS\DATA\VEHIALPH.IDX Object is locked skipped

C:\WINEMS\DATA\VEHICLE.DBF Object is locked skipped

C:\WINEMS\DATA\VEHICLE.IDX Object is locked skipped

C:\WINEMS\DATA\WORDS1.CDX Object is locked skipped

C:\WINEMS\DATA\WORDS1.DBF Object is locked skipped

C:\WINEMS\DATA\WORDS2.CDX Object is locked skipped

C:\WINEMS\DATA\WORDS2.DBF Object is locked skipped

C:\WINEMS\DATA\WORDS3.CDX Object is locked skipped

C:\WINEMS\DATA\WORDS3.DBF Object is locked skipped

C:\WINEMS\DATA\ZIPALPH.IDX Object is locked skipped

C:\WINEMS\DATA\ZIP_CODE.DBF Object is locked skipped

C:\WINEMS\DATA\ZIP_CODE.IDX Object is locked skipped

C:\WINEMS\FOXUSER.DBF Object is locked skipped

C:\WINEMS\FOXUSER.FPT Object is locked skipped

Scan process completed.

HiJack This Log

Logfile of HijackThis v1.99.1
Scan saved at 8:27:06 PM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169725716547
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Trogan · January 2007

I'm looking into the source of the problem. I'll post back soon as possible. In the meantime, could you try reinstalling Norton and see if that helps?

jc29ems · January 2007

Norton might be a problem, I'll have to find the disks that came with the computer. Symantec won't be a problem to reinstall.

Trogan · January 2007

Sorry, yeah...try reinstalling Symantec.

Trogan · January 2007

Sorry for the delay. I've had a very busy weekend and did not get much time to look into this. I'm doing this now.

Have you reinstalled Symantec?

Trogan · January 2007

Please do this...

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
88.80.5.21

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.

Extract the file to your Desktop. You should now have a regsearch folder on your Desktop.
Open the new folder, and double click on regsearch.exe
Click Import in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
Please reply here with the entire contents of the Notepad file from RegSearch.

jc29ems · January 2007

Here are the results:

RegSearch Log

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 1/29/2007 6:17:14 PM for strings:
; '88.80.5.21'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs]
"url11"="http://88.80.5.21/"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count]
; Contents of value:
; C ¬Æ\Ð?Ç
"HRZR_EHACVQY:%pf\
vqy6%\\88.80.5.21 Gebwna.Mbaronp Cyrnfr Uryc - Grpu Fhccbeg Thl Sbehzf.hey"\
=hex:43,01,00,00,06,00,00,00,20,ac,c6,5c,d0,3f,c7,01
; Contents of value:
; C B bÐ?Ç
"HRZR_EHACVQY:%pfvqy6%\\88.80.5.21 URYC - Trrxf gb Tb!.hey"=hex:43,01,00,00,06,\
00,00,00,00,42,00,62,d0,3f,c7,01
; Contents of value:
; C ™gÐ?Ç
"HRZR_EHACVQY:%pf\
vqy6%\\88.80.5.21 Gebwna.Mbaronp CYRNFR URYC - FJV Sbehzf.hey"=hex:43,01,00\
,00,06,00,00,00,00,99,8f,67,d0,3f,c7,01

; End Of The Log...

jc29ems · January 2007

Here is an updae, maybe this will help in the diagnosis.

In regards to my previous post, since we performed some of the actions that we have, I noticed that I do not get the following message when I right click. It is not like it should be, normal. Also could AVG be having any interfearance with Symantec Antivirus? I did try to reinstall Symantec but I cannot do so until we get the problem where I can visit websites because I need to log into an account to download the software. It seems the only pages I cannot visit would be ones require logging in.

jc29ems wrote:

When you right click Symantec Antivirus tries to configures. I get the message: Please wait while windows configures Samantec Antivirus.

Trogan · January 2007

I'm getting something checked out. I'll post back shortly.

Trojan.Zonebac Please Help

Comments