Possible attack of Skype trojan

Unknown

I came into this forum about 7 - 8 months ago with an unhappy and worrying feeling due to my laptop's infection. However, at the end of the day, I left with a big wide grin due to someone who guided me through it all.

I am back again (with the same laptop) with another unhappy feeling. A colleague's laptop was infected with virus but wished to transfer certain files to another PC to work on. So I plugged in my Thumbdrive and all of a sudden I saw a .scr file created automatically in it. Despite deleting or formatting the TD, it never fails to stick itself there.

After much reading online, I suspect that it came from the latest Skype threat. After running for sometime, my laptop will start to lag so bad to a point it completely freeze (only hard reset/shutdown will be able to safe me). I won't be able to run MSCONFIG, REGEDIT. It's only safe mode which allow me to do them. Below the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:25 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\stwinsdat.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HiJackThis 2.02.exe
C:\Program Files\Avant Browser\avant.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ecftp1.ftn.fedex.com/
O1 - Hosts: 219.159.160.19 symantec.comsecurityresponse.symantec.com
O1 - Hosts: 204.134.15.239 www.symantec.comsecurityresponse.symantec.com
O1 - Hosts: 105.2.36.105 updates5.kaspersky-labs.com
O1 - Hosts: 194.132.117.157 www.updates5.kaspersky-labs.com
O1 - Hosts: 196.141.147.115 downloads5.kaspersky-labs.com
O1 - Hosts: 142.175.194.30 www.downloads5.kaspersky-labs.com
O1 - Hosts: 226.144.77.69 www.ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 2.63.85.30 www.ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 150.174.179.139 www.ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 8.228.230.227 www.ftp.downloads4.kaspersky-labs.com
O1 - Hosts: 47.217.13.181 ftp.downloads5.kaspersky-labs.com
O1 - Hosts: 7.124.143.112 www.ftp.downloads5.kaspersky-labs.com
O1 - Hosts: 50.157.152.224 dnl-us3.kaspersky-labs.com
O1 - Hosts: 6.38.243.240 www.dnl-us3.kaspersky-labs.com
O1 - Hosts: 224.251.198.111 dnl-us4.kaspersky-labs.com
O1 - Hosts: 187.36.125.20 www.dnl-us4.kaspersky-labs.com
O1 - Hosts: 1.46.4.192 dnl-us5.kaspersky-labs.com
O1 - Hosts: 160.206.57.4 www.dnl-us5.kaspersky-labs.com
O1 - Hosts: 97.200.161.227 dnl-us6.kaspersky-labs.com
O1 - Hosts: 118.15.89.217 www.dnl-us6.kaspersky-labs.com
O1 - Hosts: 81.46.80.28 dnl-us7.kaspersky-labs.com
O1 - Hosts: 189.230.180.33 www.dnl-us7.kaspersky-labs.com
O1 - Hosts: 39.25.170.98 dnl-us8.kaspersky-labs.com
O1 - Hosts: 60.231.66.95 www.dnl-us8.kaspersky-labs.com
O1 - Hosts: 186.22.170.226 kaspersky.ru
O1 - Hosts: 231.6.47.125 msk1.drweb.com
O1 - Hosts: 84.147.148.135 www.msk1.drweb.com
O1 - Hosts: 14.159.126.70 msk2.drweb.com
O1 - Hosts: 78.201.127.186 www.msk2.drweb.com
O1 - Hosts: 149.234.189.5 msk3.drweb.com
O1 - Hosts: 66.61.236.114 www.msk3.drweb.com
O1 - Hosts: 100.195.121.183 msk4.drweb.com
O1 - Hosts: 205.229.8.119 www.msk4.drweb.com
O1 - Hosts: 104.92.33.11 boss.drweb.comdrweb.com
O1 - Hosts: 204.78.38.130 www.boss.drweb.comdrweb.com
O1 - Hosts: 177.161.85.218 www.security.symantec.com
O1 - Hosts: 252.106.206.37 norman.com
O1 - Hosts: 36.139.244.129 www.norman.com
O1 - Hosts: 13.206.138.99 esaugumas.lt
O1 - Hosts: 12.99.160.161 www.esaugumas.lt
O1 - Hosts: 153.162.194.166 antivirus.esaugumas.lt
O1 - Hosts: 34.109.193.95 www.antivirus.esaugumas.lt
O1 - Hosts: 147.206.179.72 esecurity.lt
O1 - Hosts: 223.38.233.118 www.esecurity.lt
O1 - Hosts: 215.119.9.31 www.windowsupdate.microsoft.com
O1 - Hosts: 186.191.220.252 www.virusscan.jotti.org
O1 - Hosts: 170.7.181.78 bkav.com.vn
O1 - Hosts: 155.25.236.104 www.bkav.com.vn
O1 - Hosts: 178.151.184.103 grisoft.czfree.grisoft.com
O1 - Hosts: 142.168.127.175 www.grisoft.czfree.grisoft.com
O1 - Hosts: 189.52.214.230 www.bitdefender.com
O1 - Hosts: 113.68.19.165 aonealarm.com
O1 - Hosts: 151.25.80.23 www.aonealarm.com
O1 - Hosts: 166.57.206.0 barracudanetworks.com
O1 - Hosts: 78.197.243.194 www.barracudanetworks.com
O1 - Hosts: 196.92.250.37 free-av.com
O1 - Hosts: 90.60.234.87 www.free-av.com
O1 - Hosts: 82.170.196.50 avast.com
O1 - Hosts: 244.149.1.190 www.avast.com
O1 - Hosts: 222.118.59.247 pandasecurity.com
O1 - Hosts: 156.122.43.208 www.pandasecurity.com
O1 - Hosts: 120.227.211.119 nod32-es.com
O1 - Hosts: 147.171.252.219 www.nod32-es.com
O1 - Hosts: 53.107.227.108 nod32.com
O1 - Hosts: 98.124.48.33 www.nod32.com
O1 - Hosts: 174.92.39.192 eset.com
O1 - Hosts: 82.83.34.90 www.eset.com
O1 - Hosts: 126.86.63.20 nod32.it
O1 - Hosts: 241.43.86.46 www.nod32.it
O1 - Hosts: 200.206.46.61 nod32.de
O1 - Hosts: 147.20.240.187 www.nod32.de
O1 - Hosts: 174.142.219.194 nod32.nl
O1 - Hosts: 207.176.58.21 www.nod32.nl
O1 - Hosts: 219.50.147.96 nod32.datsec.de
O1 - Hosts: 254.183.34.193 www.nod32.datsec.de
O1 - Hosts: 250.173.133.134 download0.avast.com
O1 - Hosts: 191.116.185.57 sl0.avast.com
O1 - Hosts: 61.194.69.218 rs0.avast.com
O1 - Hosts: 118.70.181.107 download1.avast.com
O1 - Hosts: 215.139.74.178 sl1.avast.com
O1 - Hosts: 200.32.240.58 rs1.avast.com
O1 - Hosts: 130.246.112.155 download2.avast.com
O1 - Hosts: 32.9.231.251 sl2.avast.com
O1 - Hosts: 249.66.119.213 rs2.avast.com
O1 - Hosts: 46.156.60.249 download3.avast.com
O1 - Hosts: 127.135.130.212 sl3.avast.com
O1 - Hosts: 99.138.53.242 rs3.avast.com
O1 - Hosts: 87.43.152.193 download4.avast.com
O1 - Hosts: 118.19.58.152 sl4.avast.com
O1 - Hosts: 74.110.39.247 rs4.avast.com
O1 - Hosts: 226.145.91.17 download5.avast.com
O1 - Hosts: 36.223.124.135 sl5.avast.com
O1 - Hosts: 101.237.200.119 rs5.avast.com
O1 - Hosts: 55.228.76.181 download6.avast.com
O1 - Hosts: 130.39.86.88 sl6.avast.com
O1 - Hosts: 215.54.46.121 rs6.avast.com
O1 - Hosts: 0.211.1.55 download7.avast.com
O1 - Hosts: 220.99.30.254 sl7.avast.com
O1 - Hosts: 106.150.101.10 rs7.avast.com
O1 - Hosts: 35.74.251.38 download8.avast.com
O1 - Hosts: 141.173.67.186 sl8.avast.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Services Start2] odcwinst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Live™ Messenger.lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://vaio-online.sony.com/prod_info/vgc-la38g/product_outline.html
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185859236445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185859043567
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ftn.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = snet.com
O17 - HKLM\Software\..\Telephony: DomainName = snet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = snet.com
O22 - SharedTaskScheduler: OpenGL additional - {8A5849C4-93F3-429D-FF34-660A2068897C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat\bin\tomcat5.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 14787 bytes

Thank you in advance for those of you who took the time to read this post.

Trogan

I'll post a reply in a few minutes.

Trogan

Hi marsulein! Looks like you are infected by the Skpye worm, which was created today it seems.

Please do the following...

1. I'd like you submit a file to a few places so the infection can be better dealt with in the future.

Visit both links, one at a time...
http://www.bleepingcomputer.com/submit-malware.php?channel=27
http://www.bleepingcomputer.com/submit-malware.php?channel=4
Do the following for each link:

• In the Link to topic where this file was requested: box, copy and paste: http://icrontic.com/forum/showthread.php?t=65414
• In the Browse to the file you want to submit: box, copy and paste: C:\WINDOWS\system32\odcwinst.exe
• Click Send File

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 219.159.160.19 symantec.comsecurityresponse.symantec.com
O1 - Hosts: 204.134.15.239 www.symantec.comsecurityresponse.symantec.com
O1 - Hosts: 105.2.36.105 updates5.kaspersky-labs.com
O1 - Hosts: 194.132.117.157 www.updates5.kaspersky-labs.com
O1 - Hosts: 196.141.147.115 downloads5.kaspersky-labs.com
O1 - Hosts: 142.175.194.30 www.downloads5.kaspersky-labs.com
O1 - Hosts: 226.144.77.69 www.ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 2.63.85.30 www.ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 150.174.179.139 www.ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 8.228.230.227 www.ftp.downloads4.kaspersky-labs.com
O1 - Hosts: 47.217.13.181 ftp.downloads5.kaspersky-labs.com
O1 - Hosts: 7.124.143.112 www.ftp.downloads5.kaspersky-labs.com
O1 - Hosts: 50.157.152.224 dnl-us3.kaspersky-labs.com
O1 - Hosts: 6.38.243.240 www.dnl-us3.kaspersky-labs.com
O1 - Hosts: 224.251.198.111 dnl-us4.kaspersky-labs.com
O1 - Hosts: 187.36.125.20 www.dnl-us4.kaspersky-labs.com
O1 - Hosts: 1.46.4.192 dnl-us5.kaspersky-labs.com
O1 - Hosts: 160.206.57.4 www.dnl-us5.kaspersky-labs.com
O1 - Hosts: 97.200.161.227 dnl-us6.kaspersky-labs.com
O1 - Hosts: 118.15.89.217 www.dnl-us6.kaspersky-labs.com
O1 - Hosts: 81.46.80.28 dnl-us7.kaspersky-labs.com
O1 - Hosts: 189.230.180.33 www.dnl-us7.kaspersky-labs.com
O1 - Hosts: 39.25.170.98 dnl-us8.kaspersky-labs.com
O1 - Hosts: 60.231.66.95 www.dnl-us8.kaspersky-labs.com
O1 - Hosts: 186.22.170.226 kaspersky.ru
O1 - Hosts: 231.6.47.125 msk1.drweb.com
O1 - Hosts: 84.147.148.135 www.msk1.drweb.com
O1 - Hosts: 14.159.126.70 msk2.drweb.com
O1 - Hosts: 78.201.127.186 www.msk2.drweb.com
O1 - Hosts: 149.234.189.5 msk3.drweb.com
O1 - Hosts: 66.61.236.114 www.msk3.drweb.com
O1 - Hosts: 100.195.121.183 msk4.drweb.com
O1 - Hosts: 205.229.8.119 www.msk4.drweb.com
O1 - Hosts: 104.92.33.11 boss.drweb.comdrweb.com
O1 - Hosts: 204.78.38.130 www.boss.drweb.comdrweb.com
O1 - Hosts: 177.161.85.218 www.security.symantec.com
O1 - Hosts: 252.106.206.37 norman.com
O1 - Hosts: 36.139.244.129 www.norman.com
O1 - Hosts: 13.206.138.99 esaugumas.lt
O1 - Hosts: 12.99.160.161 www.esaugumas.lt
O1 - Hosts: 153.162.194.166 antivirus.esaugumas.lt
O1 - Hosts: 34.109.193.95 www.antivirus.esaugumas.lt
O1 - Hosts: 147.206.179.72 esecurity.lt
O1 - Hosts: 223.38.233.118 www.esecurity.lt
O1 - Hosts: 215.119.9.31 www.windowsupdate.microsoft.com
O1 - Hosts: 186.191.220.252 www.virusscan.jotti.org
O1 - Hosts: 170.7.181.78 bkav.com.vn
O1 - Hosts: 155.25.236.104 www.bkav.com.vn
O1 - Hosts: 178.151.184.103 grisoft.czfree.grisoft.com
O1 - Hosts: 142.168.127.175 www.grisoft.czfree.grisoft.com
O1 - Hosts: 189.52.214.230 www.bitdefender.com
O1 - Hosts: 113.68.19.165 aonealarm.com
O1 - Hosts: 151.25.80.23 www.aonealarm.com
O1 - Hosts: 166.57.206.0 barracudanetworks.com
O1 - Hosts: 78.197.243.194 www.barracudanetworks.com
O1 - Hosts: 196.92.250.37 free-av.com
O1 - Hosts: 90.60.234.87 www.free-av.com
O1 - Hosts: 82.170.196.50 avast.com
O1 - Hosts: 244.149.1.190 www.avast.com
O1 - Hosts: 222.118.59.247 pandasecurity.com
O1 - Hosts: 156.122.43.208 www.pandasecurity.com
O1 - Hosts: 120.227.211.119 nod32-es.com
O1 - Hosts: 147.171.252.219 www.nod32-es.com
O1 - Hosts: 53.107.227.108 nod32.com
O1 - Hosts: 98.124.48.33 www.nod32.com
O1 - Hosts: 174.92.39.192 eset.com
O1 - Hosts: 82.83.34.90 www.eset.com
O1 - Hosts: 126.86.63.20 nod32.it
O1 - Hosts: 241.43.86.46 www.nod32.it
O1 - Hosts: 200.206.46.61 nod32.de
O1 - Hosts: 147.20.240.187 www.nod32.de
O1 - Hosts: 174.142.219.194 nod32.nl
O1 - Hosts: 207.176.58.21 www.nod32.nl
O1 - Hosts: 219.50.147.96 nod32.datsec.de
O1 - Hosts: 254.183.34.193 www.nod32.datsec.de
O1 - Hosts: 250.173.133.134 download0.avast.com
O1 - Hosts: 191.116.185.57 sl0.avast.com
O1 - Hosts: 61.194.69.218 rs0.avast.com
O1 - Hosts: 118.70.181.107 download1.avast.com
O1 - Hosts: 215.139.74.178 sl1.avast.com
O1 - Hosts: 200.32.240.58 rs1.avast.com
O1 - Hosts: 130.246.112.155 download2.avast.com
O1 - Hosts: 32.9.231.251 sl2.avast.com
O1 - Hosts: 249.66.119.213 rs2.avast.com
O1 - Hosts: 46.156.60.249 download3.avast.com
O1 - Hosts: 127.135.130.212 sl3.avast.com
O1 - Hosts: 99.138.53.242 rs3.avast.com
O1 - Hosts: 87.43.152.193 download4.avast.com
O1 - Hosts: 118.19.58.152 sl4.avast.com
O1 - Hosts: 74.110.39.247 rs4.avast.com
O1 - Hosts: 226.145.91.17 download5.avast.com
O1 - Hosts: 36.223.124.135 sl5.avast.com
O1 - Hosts: 101.237.200.119 rs5.avast.com
O1 - Hosts: 55.228.76.181 download6.avast.com
O1 - Hosts: 130.39.86.88 sl6.avast.com
O1 - Hosts: 215.54.46.121 rs6.avast.com
O1 - Hosts: 0.211.1.55 download7.avast.com
O1 - Hosts: 220.99.30.254 sl7.avast.com
O1 - Hosts: 106.150.101.10 rs7.avast.com
O1 - Hosts: 35.74.251.38 download8.avast.com
O1 - Hosts: 141.173.67.186 sl8.avast.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\RunOnce: [Services Start2] odcwinst.exe

O22 - SharedTaskScheduler: OpenGL additional - {8A5849C4-93F3-429D-FF34-660A2068897C} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Make sure you can view hidden files and folders:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

4. Find and delete the following File in RED, if found:

C:\WINDOWS\system32\odcwinst.exe

5. Reboot the computer, and post a new HijackThis log.

marsulein

Hi Trogan,

Thank you for reading through my HJT log.

I've submitted the file to the 2 links that you provided above.

After removing all of the items you mentioned and reboot the laptop, I still see the values of O1.
So I decided to fix them again but after that, they still come back on and HJT has the following message:

"You have an particulary larege amount of hijacked domains. It's probably better to delete the file itself then
to fix each item (and create a backup).

If you see the same IP address in all the reported O1 items, consider deleting your Hosts file, which is located
at C:\WINDOWS\System32\drivers\etc\hosts."

Positive sighting of odcwinst.exe, thus have proceeded to remove it per instruction.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:12 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HiJackThis 2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ecftp1.ftn.fedex.com/
O1 - Hosts: 13.162.10.4 rs8.avast.com
O1 - Hosts: 252.103.2.166 download9.avast.com
O1 - Hosts: 254.116.114.97 sl9.avast.com
O1 - Hosts: 143.166.43.32 rs9.avast.com
O1 - Hosts: 223.156.190.56 download10.avast.com
O1 - Hosts: 224.98.236.238 sl10.avast.com
O1 - Hosts: 157.76.94.58 rs10.avast.com
O1 - Hosts: 205.37.151.202 download11.avast.com
O1 - Hosts: 168.137.38.74 sl11.avast.com
O1 - Hosts: 249.144.32.227 rs11.avast.com
O1 - Hosts: 117.173.205.1 download12.avast.com
O1 - Hosts: 75.213.162.90 sl12.avast.com
O1 - Hosts: 252.227.111.44 rs12.avast.com
O1 - Hosts: 109.59.218.197 download13.avast.com
O1 - Hosts: 59.173.12.73 sl13.avast.com
O1 - Hosts: 78.157.170.176 rs13.avast.com
O1 - Hosts: 177.97.7.14 download14.avast.com
O1 - Hosts: 160.235.152.23 sl14.avast.com
O1 - Hosts: 227.168.168.226 rs14.avast.com
O1 - Hosts: 91.167.76.237 download15.avast.com
O1 - Hosts: 219.254.154.98 sl15.avast.com
O1 - Hosts: 57.106.22.152 rs15.avast.com
O1 - Hosts: 164.53.109.221 download16.avast.com
O1 - Hosts: 55.93.102.115 sl16.avast.com
O1 - Hosts: 207.242.21.216 rs16.avast.com
O1 - Hosts: 26.192.82.74 download17.avast.com
O1 - Hosts: 241.46.105.139 sl17.avast.com
O1 - Hosts: 232.102.19.226 rs17.avast.com
O1 - Hosts: 35.182.165.98 download18.avast.com
O1 - Hosts: 107.54.136.110 sl18.avast.com
O1 - Hosts: 128.172.233.125 rs18.avast.com
O1 - Hosts: 177.172.177.27 download19.avast.com
O1 - Hosts: 171.4.184.49 sl19.avast.com
O1 - Hosts: 143.87.53.133 rs19.avast.com
O1 - Hosts: 71.7.122.132 download20.avast.com
O1 - Hosts: 25.88.222.64 sl20.avast.com
O1 - Hosts: 124.211.250.181 rs20.avast.com
O1 - Hosts: 43.233.24.80 download21.avast.com
O1 - Hosts: 121.217.232.178 sl21.avast.com
O1 - Hosts: 228.212.117.177 rs21.avast.com
O1 - Hosts: 236.94.88.159 download22.avast.com
O1 - Hosts: 38.247.43.207 sl22.avast.com
O1 - Hosts: 140.251.65.86 rs22.avast.com
O1 - Hosts: 23.199.148.15 download23.avast.com
O1 - Hosts: 144.29.255.226 sl23.avast.com
O1 - Hosts: 163.202.174.69 rs23.avast.com
O1 - Hosts: 53.133.210.2 download24.avast.com
O1 - Hosts: 247.27.153.59 sl24.avast.com
O1 - Hosts: 59.201.93.172 rs24.avast.com
O1 - Hosts: 7.233.28.49 download25.avast.com
O1 - Hosts: 104.210.40.136 sl25.avast.com
O1 - Hosts: 9.249.31.87 rs25.avast.com
O1 - Hosts: 4.92.30.113 download26.avast.com
O1 - Hosts: 248.32.50.85 sl26.avast.com
O1 - Hosts: 92.120.15.248 rs26.avast.com
O1 - Hosts: 19.202.5.196 download27.avast.com
O1 - Hosts: 64.13.47.224 sl27.avast.com
O1 - Hosts: 91.118.238.178 rs27.avast.com
O1 - Hosts: 133.83.149.162 download28.avast.com
O1 - Hosts: 24.55.102.33 sl28.avast.com
O1 - Hosts: 131.87.190.234 rs28.avast.com
O1 - Hosts: 85.52.140.136 download29.avast.com
O1 - Hosts: 151.122.7.25 sl29.avast.com
O1 - Hosts: 95.40.161.81 rs29.avast.com
O1 - Hosts: 162.242.54.194 download30.avast.com
O1 - Hosts: 74.228.138.90 sl30.avast.com
O1 - Hosts: 136.71.242.45 rs30.avast.com
O1 - Hosts: 108.200.81.116 download31.avast.com
O1 - Hosts: 179.215.70.214 sl31.avast.com
O1 - Hosts: 224.78.164.231 rs31.avast.com
O1 - Hosts: 142.83.35.239 download32.avast.com
O1 - Hosts: 4.127.85.236 sl32.avast.com
O1 - Hosts: 251.123.216.49 download33.avast.com
O1 - Hosts: 28.118.166.176 sl33.avast.com
O1 - Hosts: 44.246.200.89 rs33.avast.com
O1 - Hosts: 60.164.32.189 download34.avast.com
O1 - Hosts: 193.181.98.121 sl34.avast.com
O1 - Hosts: 232.202.201.1 rs34.avast.com
O1 - Hosts: 41.21.9.156 download35.avast.com
O1 - Hosts: 31.190.132.176 sl35.avast.com
O1 - Hosts: 151.133.192.64 rs35.avast.com
O1 - Hosts: 231.168.25.179 download36.avast.com
O1 - Hosts: 129.7.179.215 sl36.avast.com
O1 - Hosts: 199.134.179.37 rs36.avast.com
O1 - Hosts: 33.179.175.71 download37.avast.com
O1 - Hosts: 77.169.98.215 sl37.avast.com
O1 - Hosts: 247.52.165.106 rs37.avast.com
O1 - Hosts: 138.53.155.205 download38.avast.com
O1 - Hosts: 69.72.43.142 sl38.avast.com
O1 - Hosts: 145.165.179.190 rs38.avast.com
O1 - Hosts: 146.68.250.246 download39.avast.com
O1 - Hosts: 252.69.103.152 sl39.avast.com
O1 - Hosts: 40.142.113.87 rs39.avast.com
O1 - Hosts: 103.182.87.250 download40.avast.com
O1 - Hosts: 150.34.17.92 sl40.avast.com
O1 - Hosts: 242.109.134.184 rs40.avast.com
O1 - Hosts: 46.13.255.35 download41.avast.com
O1 - Hosts: 195.52.220.90 sl41.avast.com
O1 - Hosts: 136.245.134.190 rs41.avast.com
O1 - Hosts: 130.168.164.157 download42.avast.com
O1 - Hosts: 253.143.146.179 sl42.avast.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Live™ Messenger.lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://vaio-online.sony.com/prod_info/vgc-la38g/product_outline.html
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185859236445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185859043567
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ftn.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = snet.com
O17 - HKLM\Software\..\Telephony: DomainName = snet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = snet.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat\bin\tomcat5.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 14010 bytes

Trogan

Hi marsulein! Thanks for uploading the files.

Lets continue...

1. Spybots TeaTimer is likely preventing the Hosts Files from being deleted, so lets disable it temporarly.

• Open Spybot Search & Destroy
• Go to the Mode menu, and make sure "Advanced Mode" is selected
• On the left hand side, choose Tools -> Resident
• Uncheck "Resident TeaTimer" and OK any prompts
• Exit SpyBot

2. Please download HostXpert.

1. Unzip HostsXpert.zip
2. Double click on HostsXpert.exe
3. Then click on "Restore MS Hosts File" to restore your Hosts file to its default condidtion..
4. Make sure "Make Writeable?" is shown at the top. If "Make ReadOnly" is showing, click the button to change it to secure it against further infection.
5. Close program when complete.

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you set these with a anti-spyware program like SpyBot's Immunize feature, or a System Administrator set them, have HiJackThis fix this.)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

4. Please post the following...

Uninstall list
New HijackThis log.

marsulein

Hi again Trogan. You're most welcome.

1. I have disabled the Tea Timer since my second scan since it is pestering me with messages.

2. When I tried to restore MS hosts file, I was prompted with this message:
"Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts".
"Make writeable" is set to ON as instructed.

3. I've fixed those 3 entries that you mentioned above.

4. Here's the Uninstall list:

Acer eManager for Notebook
Acer ePowerManagement
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
AdventureWorksDB
Agere Systems AC'97 Modem
Apache HTTP Server 2.2.3
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avant Browser (remove only)
AviSynth 2.5
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Disc2Phone
EditPlus 2
EphPod
FTP Explorer
FTP Explorer
Fuji Xerox CentreWare EasyOperator
Fuji Xerox Network Scanner Utility2
getPlus(R)_ocx
Gift Shop
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Ipswitch WS_FTP Home 2007
iTunes
Java(TM) 6 Update 2
Java(TM) SE Development Kit 6
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 1.53
LiveUpdate 3.1 (Symantec Corporation)
Maxthon Browser (remove only)
Messenger Plus! Live
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 SDK - ENU
Microsoft .NET Framework SDK (English) 1.1
Microsoft ASP.NET Web Matrix
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine
Microsoft SQL Server Native Client
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU
Mozilla Firefox (2.0)
MSConfig CleanUp 1.2
MSN BackUp 1.3.2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MySQL Server 5.0
MySQL Tools for 5.0
NTI Backup NOW! 3
NTI CD & DVD-Maker Gold
PowerDVD
Quest Software Toad Data Modeler Freeware 2.24
Quest Software Toad Data Modeler Trial 2.24
Quest Software Toad for SQL Server Freeware 2.0
QuickTime
RealPlayer
Realtek AC'97 Audio
San Fermín
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Skype 2.5
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec AntiVirus
Synaptics Pointing Device Driver
Tera Term Pro
TextPad 5
Toad for Oracle Freeware
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
User Profile Hive Cleanup Service
Viewpoint Media Player
WebEx
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
Xerox DC 400/350/250 PCL 6
Zune Desktop Theme

5. And here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:22 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avant Browser\avant.exe
C:\HJT\HiJackThis 2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ecftp1.ftn.fedex.com/
O1 - Hosts: 90.20.33.83 sl76.avast.com
O1 - Hosts: 232.195.78.155 rs76.avast.com
O1 - Hosts: 85.7.255.93 download77.avast.com
O1 - Hosts: 238.32.143.172 sl77.avast.com
O1 - Hosts: 76.226.210.113 rs77.avast.com
O1 - Hosts: 40.19.74.177 download78.avast.com
O1 - Hosts: 112.21.158.14 sl78.avast.com
O1 - Hosts: 153.196.71.145 rs78.avast.com
O1 - Hosts: 56.162.141.166 download79.avast.com
O1 - Hosts: 204.50.178.104 sl79.avast.com
O1 - Hosts: 222.161.109.31 rs79.avast.com
O1 - Hosts: 77.171.154.7 download80.avast.com
O1 - Hosts: 227.189.47.84 sl80.avast.com
O1 - Hosts: 43.87.114.114 rs80.avast.com
O1 - Hosts: 135.181.105.145 download81.avast.com
O1 - Hosts: 125.174.146.97 sl81.avast.com
O1 - Hosts: 82.220.213.26 rs81.avast.com
O1 - Hosts: 218.253.183.192 download82.avast.com
O1 - Hosts: 142.153.208.165 sl82.avast.com
O1 - Hosts: 223.230.127.47 rs82.avast.com
O1 - Hosts: 202.232.220.219 download83.avast.com
O1 - Hosts: 173.220.238.130 sl83.avast.com
O1 - Hosts: 89.215.31.220 rs83.avast.com
O1 - Hosts: 104.171.236.66 download84.avast.com
O1 - Hosts: 209.10.225.184 sl84.avast.com
O1 - Hosts: 185.238.197.42 rs84.avast.com
O1 - Hosts: 140.55.18.246 download85.avast.com
O1 - Hosts: 77.150.168.171 sl85.avast.com
O1 - Hosts: 42.171.193.16 rs85.avast.com
O1 - Hosts: 84.106.40.105 download86.avast.com
O1 - Hosts: 13.195.166.245 sl86.avast.com
O1 - Hosts: 3.130.189.187 rs86.avast.com
O1 - Hosts: 220.116.153.135 download87.avast.com
O1 - Hosts: 18.203.68.47 sl87.avast.com
O1 - Hosts: 1.195.25.26 rs87.avast.com
O1 - Hosts: 62.134.123.3 download88.avast.com
O1 - Hosts: 43.77.199.251 sl88.avast.com
O1 - Hosts: 200.201.134.173 rs88.avast.com
O1 - Hosts: 204.193.232.230 download89.avast.com
O1 - Hosts: 245.252.110.85 sl89.avast.com
O1 - Hosts: 156.97.230.143 rs89.avast.com
O1 - Hosts: 140.93.156.85 download90.avast.com
O1 - Hosts: 20.133.207.26 sl90.avast.com
O1 - Hosts: 91.125.98.192 rs90.avast.com
O1 - Hosts: 244.24.212.163 download91.avast.com
O1 - Hosts: 178.192.114.216 sl91.avast.com
O1 - Hosts: 190.25.203.183 rs91.avast.com
O1 - Hosts: 230.225.101.150 download92.avast.com
O1 - Hosts: 56.27.174.216 sl92.avast.com
O1 - Hosts: 208.108.53.39 rs92.avast.com
O1 - Hosts: 238.197.26.253 download93.avast.com
O1 - Hosts: 76.66.196.105 sl93.avast.com
O1 - Hosts: 174.82.209.16 rs93.avast.com
O1 - Hosts: 186.25.83.114 download94.avast.com
O1 - Hosts: 128.249.11.8 rs94.avast.com
O1 - Hosts: 217.232.219.107 download95.avast.com
O1 - Hosts: 133.192.120.42 sl95.avast.com
O1 - Hosts: 182.202.228.203 rs95.avast.com
O1 - Hosts: 184.158.8.134 download96.avast.com
O1 - Hosts: 128.68.167.74 sl96.avast.com
O1 - Hosts: 135.154.145.1 rs96.avast.com
O1 - Hosts: 217.245.25.21 download97.avast.com
O1 - Hosts: 104.11.200.51 sl97.avast.com
O1 - Hosts: 167.17.83.79 rs97.avast.com
O1 - Hosts: 84.32.203.232 download98.avast.com
O1 - Hosts: 149.221.20.141 sl98.avast.com
O1 - Hosts: 71.89.152.160 rs98.avast.com
O1 - Hosts: 147.54.60.90 download99.avast.com
O1 - Hosts: 194.12.148.15 sl99.avast.com
O1 - Hosts: 82.10.82.179 rs99.avast.com
O1 - Hosts: 73.225.5.158 download100.avast.com
O1 - Hosts: 201.221.0.140 sl100.avast.com
O1 - Hosts: 229.85.151.232 rs100.avast.com
O1 - Hosts: 179.70.146.74 download101.avast.com
O1 - Hosts: 162.59.219.62 sl101.avast.com
O1 - Hosts: 14.112.122.71 rs101.avast.com
O1 - Hosts: 18.54.195.35 download102.avast.com
O1 - Hosts: 158.153.206.81 sl102.avast.com
O1 - Hosts: 201.65.40.209 rs102.avast.com
O1 - Hosts: 104.150.200.43 download103.avast.com
O1 - Hosts: 223.40.69.178 sl103.avast.com
O1 - Hosts: 55.77.70.10 rs103.avast.com
O1 - Hosts: 113.12.57.232 download104.avast.com
O1 - Hosts: 26.57.72.25 sl104.avast.com
O1 - Hosts: 32.226.136.198 rs104.avast.com
O1 - Hosts: 228.234.116.246 download105.avast.com
O1 - Hosts: 144.244.155.84 sl105.avast.com
O1 - Hosts: 171.130.149.51 rs105.avast.com
O1 - Hosts: 235.94.59.207 download106.avast.com
O1 - Hosts: 74.58.24.213 sl106.avast.com
O1 - Hosts: 91.147.26.38 rs106.avast.com
O1 - Hosts: 223.219.141.216 download107.avast.com
O1 - Hosts: 148.214.74.126 sl107.avast.com
O1 - Hosts: 77.69.44.170 rs107.avast.com
O1 - Hosts: 71.194.196.176 download108.avast.com
O1 - Hosts: 187.235.78.172 sl108.avast.com
O1 - Hosts: 176.194.227.198 rs108.avast.com
O1 - Hosts: 19.84.240.180 download109.avast.com
O1 - Hosts: 9.153.230.129 sl109.avast.com
O1 - Hosts: 132.156.51.141 rs109.avast.com
O1 - Hosts: 21.219.114.214 download110.avast.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Live™ Messenger.lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://vaio-online.sony.com/prod_info/vgc-la38g/product_outline.html
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185859236445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185859043567
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ftn.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = snet.com
O17 - HKLM\Software\..\Telephony: DomainName = snet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = snet.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat\bin\tomcat5.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13630 bytes

Trogan

Hi marsulein!

I know what the problem is, I think...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Java(TM) SE Runtime Environment 6 Update 1

2. Open HostsXpert. At the top, change "Make Writeable" to "Make ReadOnly" and then click on "Restore MS Hosts File". If it works, change HostsXpert back to "Make Writeable".

3. Post a new HijackThis log.

marsulein

Hi Trogan,

Finally you managed to get rid of the O1 entries. GREAT!!!!!! And here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:53 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\HJT\HiJackThis 2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ecftp1.ftn.fedex.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Live™ Messenger.lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://vaio-online.sony.com/prod_info/vgc-la38g/product_outline.html
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185859236445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185859043567
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ftn.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = snet.com
O17 - HKLM\Software\..\Telephony: DomainName = snet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = snet.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat\bin\tomcat5.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9139 bytes

P.S: On a side note, MSCONFIG and REGEDIT are back. WOOHOO!!!!

Trogan

Excellent!

Can I get you to run one more scan please...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)

• Scan Options:

Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:

Select

My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

• Now click on the Save as Text button:

[*]Save the file to your desktop.
Post the Kaspersky log, along with a new HijackThis log.

marsulein

Hi again Trogan,

Been able to use my laptop without freezing so far. Good sign!

I've zipped up the Kaspersky log and attached it here since copying into a txt will messed up the alignment and all.

Below is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:13 AM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\ePM\EPM-DM.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HiJackThis 2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://ecftp1.ftn.fedex.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Live™ Messenger.lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://vaio-online.sony.com/prod_info/vgc-la38g/product_outline.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185859236445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185859043567
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ftn.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = snet.com
O17 - HKLM\Software\..\Telephony: DomainName = snet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = snet.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat\bin\tomcat5.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9228 bytes

Trogan

Hi marsulein,

Good news all round then! The Kaspersky report and HijackThis log are clean.

Let me know if I can help with anything else, or if we can archive this thread.

marsulein

Words are not enough to express my gratitude but still I have to say THANK YOU.

Please archive this thread and hopefully this can serve a purpose for those who are infected with this virus. I have followed the same steps with the other laptop which is infected and everything works fine up to this point.

Thanks Trogan! You save my days.

Trogan

You are welcome!

Here are some tips for a clean and secure computer.

For XP users.
It's a good idea to Flush your System Restore points after ridding yourself of malware. You can clean this by doing the following:

• Click Start | Help and Support | Undo changes to your computer with System Restore.
• Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
• Close the Help and Support Center box.
• Click Start | Run and type Cleanmgr
• Select (C: ) then click OK.
• Click the More Options tab.
• Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

Make your Internet Explorer more secure

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click OK
5. Click on the Custom Level button.
   • Change the Download signed ActiveX controls to Prompt
   • Change the Download unsigned ActiveX controls to Disable
   • Change the Initialise and script ActiveX controls not marked as safe to Disable
   • Change the Installation of desktop items to Prompt
   • Change the Launching programs and files in an IFRAME to Prompt
   • Change the Navigate sub-frames across different domains to Prompt
   • Internet Explorer 7 users: Check all other items and make sure that they meet the (recommended) setting when applies.
   • When all these settings have been made, click on the OK button.
   • If it prompts you as to whether or not you want to save the
   settings, press the Yes button.
6. Next press the Apply button and then the OK to exit the Internet Properties page.

Free programs that may help you in keeping the PC clean

• SpywareBlaster
  SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  You can download SpywareBlaster here
  A tutorial can be found here
• SpywareGuard
  It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
  You can download SpywareGuard here
  A tutorial can be found here
• IE-SPYAD
  IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
  You can download IE-SPYAD here
  A tutorial can be found here
• Hosts File
  A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  A tutorial can be found here
  • MVPS Hosts File
    You can download the MVPS Hosts File here
    Furthermore the website contains useful tips and links to other resources and utilities.
  • Bluetack's Hosts File and Hosts Manager
    Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites...sites responsible for hijacks, rogue apllications etc...
    Download Bluetack's Hosts file here
    Download Bluetack's HostsManager here

Free Spyware Detection and Removal Programs

• Ad-Aware
  It scans for known spyware on your computer. These scans should be run at least once every two weeks.
  You can download Ad-Aware here
  A tutorial can be found here
• Spybot - Search & Destroy
  It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
  You can download Spybot - S&D here
  A tutorial can be found here

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright Foistware.
You will find the list here

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.

• Detect & Neutralize Spyware.
• Detect & Neutralize ADware.
• Detect & Neutralize Viral infections.
• Detect & Neutralize Unwanted IE Add-Ons.
• Detect & Restore File Type Changes.
• Automatically Filter Unwanted Cookies.
• Avoid Start Page Hijacking.
• Detect changes to HOSTS & critical system files.
• Kill Multiple Tasks that replicate each other, in a single step!
• Stop programs that repeatedly add themselves to your Startup List!

Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:

• Fraudulent claims or scams
• Offensive material
• Security vulnerabilities
• Spyware or Adware
• Spam related material
• or other content deemed to be unsafe

Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.

Computer Safety On line - Anti-Virus


Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.

Computer Safety On line - Software Firewalls

A tutorial on Understanding and Using Firewalls can be found here

Happy Surfing!