# Solved: Combined SmitFraud.C, Zlob, and Vario infection: Spybot and HJT logs



## techkid (Sep 2, 2004)

Hi all,

About a month ago, I began a spyware cleaning on my dad's friend's computer (Cookiegal was last assisting me with this):

http://forums.techguy.org/malware-removal-hijackthis-logs/647949-solved-need-help-malware-fix.html

Well, now it's back in my hands to fix, and so I need your help. Here are both Spybot and HJT logs:

--- Report generated: 2007-12-28 13:33 ---

Smitfraud-C.: Autorun settings (WinAVX) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAVX

Smitfraud-C.: Program file (File, fixed)
C:\WINDOWS\system32\WinAvXX.exe

Smitfraud-C.: Autorun settings (WinAVX) (Registry value, fixed)
HKEY_USERS\S-1-5-21-3806293429-407118150-2358220067-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinAVX

Smitfraud-C.: Executable (File, fixed)
C:\Documents and Settings\Oem User\Start Menu\Programs\Startup\system.exe

Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\system32\printer.exe

Microsoft.Windows.Explorer: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-3806293429-407118150-2358220067-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel!=W=0

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads-us2.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads-us3.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ftp.downloads1.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ftp.downloads2.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ftp.downloads3.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
norton.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
updates1.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
updates2.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
updates3.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
updates4.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
securityresponse.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
pandasoftware.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.pandasoftware.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads-us1.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
virustotal.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.virustotal.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
virusscan.jotti.org=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.grisoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
avp.ch=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
avp.ru=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
download.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads1.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads2.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads3.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
downloads4.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ftp.f-secure.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ftp.sophos.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
go.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ids.kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
kaspersky-labs.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
media.fastclick.net=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ar.atwola.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
spd.atdmt.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
msdn.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
office.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
phx.corporate-ir.net=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
service1.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
support.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
vil.nai.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
viruslist.ru=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
windowsupdate.microsoft.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.avp.ch=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.avp.ru=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.fastclick.net=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.kaspersky.ru=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www3.ca.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.trendmicro.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
trendmicro.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
rads.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
customer.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
liveupdate.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
us.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
updates.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
update.symantec.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.nai.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
nai.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
secure.nai.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
dispatch.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
download.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.my-etrust.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
my-etrust.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
mast.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
ca.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.ca.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
networkassociates.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.networkassociates.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
avp.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.kaspersky.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.avp.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
kaspersky.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.f-secure.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
f-secure.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
viruslist.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.viruslist.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
liveupdate.symantecliveupdate.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.mcafee.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
sophos.com=192.168.200.3

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, fixed)
www.sophos.com=192.168.200.3

Microsoft.WindowsSecurityCenter.TaskManager: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-3806293429-407118150-2358220067-1004\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr!=dword:0

Microsoft.WindowsSecurityCenter.RegistryTools: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-3806293429-407118150-2358220067-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools!=dword:0

Microsoft.WindowsSecurityCenter.RegistryTools: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools!=dword:0

Microsoft.WindowsSecurityCenter.TaskManager: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr!=dword:0

Microsoft.Windows.System: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr!=W=0

Microsoft.Windows.System: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoControlPanel!=W=0

Zlob.DNSChanger: TCP/IP Settings #1 (Undefined) (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F8041FF3-8A7B-4B3D-88B3-88AC70EE9F7A}\DhcpNameServer=208.67.220.220,208.67.222.222

Smitfraud-C.generic: Executable (File, fixed)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

Vario.AntiVirus: Tracking cookie (Internet Explorer: Oem User) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-11-05 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-12-19 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-12-19 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-12-19 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-12-19 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-12-19 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-12-19 Includes\PUPSC.sbi (*)
2007-12-19 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-12-19 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-19 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (*)
2007-12-19 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
______________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:13 PM, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi Client\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Venturi Client\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8081 bytes


----------



## Cookiegal (Aug 27, 2003)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## techkid (Sep 2, 2004)

Thanks for a quick reply. Here are the ComboFix and HJT logs:

ComboFix 07-12-29.2 - Oem User 2007-12-29 8:49:26.1 - NTFSx86
Running from: C:\Documents and Settings\Oem User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\popcorn Terms.html

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\npf

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 14:46 . 2007-12-20 23:11	81,920	--a------	C:\WINDOWS\system32\IEDFix.exe
2007-12-28 11:03 . 2007-12-28 11:03	552	--a------	C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 10:11 . 2007-12-29 09:11	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-28 10:11 . 2007-12-28 10:11	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-26 15:49 . 2007-12-26 15:49 d--------	C:\Program Files\Common Files\PCSuite
2007-12-26 15:48 . 2007-12-26 15:48 d--------	C:\Program Files\Common Files\Nokia
2007-12-26 15:42 . 2007-12-26 15:42 d--------	C:\Program Files\PC Connectivity Solution
2007-12-26 15:39 . 2007-02-22 10:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-26 15:39 . 2007-02-22 10:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2007-12-26 15:39 . 2007-02-22 10:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-26 15:39 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-26 15:39 . 2007-02-22 10:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-26 15:39 . 2007-02-22 10:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-26 15:33 . 2007-12-26 15:34 d--------	C:\Documents and Settings\All Users\Application Data\Installations
2007-12-25 16:21 . 2007-12-25 16:21	268	--ah-----	C:\sqmdata00.sqm
2007-12-25 16:21 . 2007-12-25 16:21	244	--ah-----	C:\sqmnoopt00.sqm
2007-12-25 12:06 . 2007-12-25 12:06	0	--a------	C:\rollback.ini
2007-12-16 10:03 . 2007-12-16 10:03 d--------	C:\Documents and Settings\Oem User\Application Data\MailFrontier
2007-12-16 09:31 . 2007-12-16 09:31 d--------	C:\Program Files\ZoneAlarmSB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 22:10	---------	d-----w	C:\Program Files\Unwired
2007-12-28 22:04	4,859,936	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-28 22:04	39,044	--sha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-28 06:42	---------	d-----w	C:\Documents and Settings\Oem User\Application Data\AVG7
2007-12-26 07:42	---------	d-----w	C:\Documents and Settings\Oem User\Application Data\PC Suite
2007-12-26 07:42	---------	d-----w	C:\Documents and Settings\Oem User\Application Data\Nokia
2007-12-26 07:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-26 04:52	---------	d-----w	C:\Program Files\DIFX
2007-12-26 04:48	---------	d-----w	C:\Program Files\Nokia
2007-12-25 00:42	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-22 00:18	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2007-12-16 01:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-02 06:49	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-11-17 22:38	---------	d-----w	C:\Program Files\PhoTags Express
2007-11-14 05:05	75,248	----a-w	C:\WINDOWS\zllsputility.exe
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 06:54	---------	d-----w	C:\Program Files\Trend Micro
2007-11-05 05:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 23:06	---------	d-----w	C:\Documents and Settings\Oem User\Application Data\SUPERAntiSpyware.com
2007-11-03 07:38	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 16:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-09 07:57	24,192	----a-w	C:\Documents and Settings\Oem User\usbsermptxp.sys
2007-09-09 07:57	22,768	----a-w	C:\Documents and Settings\Oem User\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-02 23:09]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-09-01 17:58 C:\WINDOWS\system32\VTTimer.exe]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"Venturi Configurator"="C:\Program Files\Venturi Client\Configurator\ventcfg.exe" [2006-11-20 22:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-25 12:16]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 23:00 C:\WINDOWS\system32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 09:45]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58]

C:\Documents and Settings\Oem User\Start Menu\Programs\Startup\
Unwired Launchpad.lnk - C:\Program Files\Unwired\UwSCT.exe [2005-09-06 21:10:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-09-07 14:43:42]
Unwired Launchpad.lnk - C:\Program Files\Unwired\UwSCT.exe [2005-09-06 21:10:06]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 15:25 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 15:11 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 23:00	15360	--a------	C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 00:42	49152	--a------	C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-25 21:01	1397760	---------	C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 12:20	155648	--a------	C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 19:05	32768	--a------	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 03:53	75520	--a------	C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 20:22]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 17:32]
S3 EraserUtilDrv1061;EraserUtilDrv1061;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv1061.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72337541-296d-11da-9fc2-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 04:00:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-28 21:40:12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 09:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-29 9:19:07 - machine was rebooted
.
2007-12-12 12:07:15	--- E O F ---
______________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:38 AM, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi Client\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O10 - Unknown file in Winsock LSP: vwlsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Venturi Client\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7976 bytes

I can see that it's looking better than it was. But I'll bet there's still more to go.


----------



## Cookiegal (Aug 27, 2003)

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

Also, do this please:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## techkid (Sep 2, 2004)

Well, this machine has decided to be a pain in the rectal cavity (to put it politely). I had attempted to run the Panda ActiveScan scans twice, and at approximately the same point (somewhere around the 30,000th file scanned) it would go to a blank screen and freeze, requiring a system restart.

I will still post the Uninstall List as you have requested:

3200 USB-Handset Manager
6610i USB-Handset Manager
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
AVG Free Edition
BlueSoleil
Bonjour
CCScore
C-Media 3D Audio
DVD Shrink 3.2
DX-Ball 1.09
Encyclopaedia Britannica Student Library CD
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 11
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Panda ActiveScan
PC Connectivity Solution
PhoTags Express 
Pinnacle PCTV
Pinnacle TRex
PowerDVD
QuickTime
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SFR
SHASTA
SKIN0001
SKINXSDK
Spybot - Search & Destroy 1.4
staticcr
SUPERAntiSpyware Free Edition
UniChrome IGP Driver and Utilities
Unwired
Unwired
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
VPRINTOL
V-Rally2 Expert Edition
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WIRELESS
ZoneAlarm
ZoneAlarm Spy Blocker

I will also open a new thread (in the WinNT/2K/XP forum) containing the error logs pertaining to the freezing, and provide a link for you to check.


----------



## techkid (Sep 2, 2004)

Here is the link to the thread relating to the system lockup (if it is needed):

http://forums.techguy.org/windows-nt-2000-xp/665943-system-lockup-during-malware-fix.html


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## techkid (Sep 2, 2004)

Sorry for backtracking, Cookiegal. I did end up getting Panda ActiveScan to work. It turns out that AVG was causing a disruption to the scans and causing it to crash. The log will be attached.

I will proceed to the next step later tonight.


----------



## techkid (Sep 2, 2004)

Now I'm on track, Cookiegal. I finally managed to get WinPFind3U running, since I found it requires not even background services to interfere with it running. I'll attach the log file.


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Registry - All]
> < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
> YN -> NavLogon -> Reg Data - Value does not exist
> ...


----------



## Cookiegal (Aug 27, 2003)

Also, delete these files manually:

c:\windows\*hh.ico*
c:\windows\system32\*windll.ini*
C:\WINDOWS\system32\drivers\etc\*hosts.20071105-162950.backup*


----------



## techkid (Sep 2, 2004)

Thanks for the fix. I have the WinPFind3U log and the HJT log for you to check over.


----------



## Cookiegal (Aug 27, 2003)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:09 PM, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7342 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch*

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 3*.
Scroll down to where it says "* Java Runtime Environment (JRE) 6 Update 3. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

How are things running now?


----------



## techkid (Sep 2, 2004)

Given the fact that this system is running 256MB RAM, slowing it down considerably, it's running pretty good now. I've done the Java update, and removed the wmplayer.exe entry from HijackThis as you requested. I'll send the log as an attachment.

I did notice an odd entry in the Add/Remove Programs list. In there was an entry "MarketResearch" with no info or even a Remove button! I've made a screendump of it as well.

One final question. The owner likes to have his home page set to about:blank, yet when I go into both Internet Explorer and SUPERAntiSpyware to change it, it reverts back to Google. What could be causing that?

PS Happy New Year to you.


----------



## Cookiegal (Aug 27, 2003)

Pasting the log for easier viewing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:54 AM, on 1/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7225 bytes


----------



## Cookiegal (Aug 27, 2003)

I would consider uninstalling the ZoneAlarm Spy Blocker. You can read about it here:

http://www.castlecops.com/modules.php?name=CLSID&query=F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA

We deleted MarketResearch with WinpFind3u so it looks like that's just a remnant. If you double click on it does it give you a message asking if you want to delete it from the list? If not, we can use HijackThis to delete it:

Open HijackThis and click on *config *- *misc tools *- *Open Uninstall Manager*. From the list, highlight MarketResearch and then click on "Delete this entry" and that should do the trick.

It must be one of the security programs preventing changes to the home page. It's possible that it's locked by SpyBot S & D. Look under IE Tweaks (Lock IE Start page setting against user changes....)


----------



## techkid (Sep 2, 2004)

Thanks for the tip. I never would have thought that ZoneAlarm would be attached (indirectly, at least) to MyWebSearch. Kind of funny, in a strange kind of way.

Unfortunately, double-clicking on MarketResearch doesn't do anything, and better still, it doesn't directly appear in HJT's uninstall list. This is what I've got:

3200 USB-Handset Manager
6610i USB-Handset Manager
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
AVG Free Edition
BlueSoleil
Bonjour
CCScore
C-Media 3D Audio
DVD Shrink 3.2
DX-Ball 1.09
Encyclopaedia Britannica Student Library CD
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
InterActual Player
iTunes
Java(TM) 6 Update 3
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Panda ActiveScan
PC Connectivity Solution
PhoTags Express 
Pinnacle PCTV
Pinnacle TRex
PowerDVD
QuickTime
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SFR
SHASTA
SKIN0001
SKINXSDK
Spybot - Search & Destroy 1.4
staticcr
SUPERAntiSpyware Free Edition
UniChrome IGP Driver and Utilities
Unwired
Unwired
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
VPRINTOL
V-Rally2 Expert Edition
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WIRELESS
ZoneAlarm

Some of those odd entries (eg ESSSONIC, kgcbaby and the like) _seem_ to be attached to Kodak software, so I'm at a loss to see where MarketResearch comes into play.

On the last note, I got Internet Explorer to co-operate. I disabled the Home Page lock in SUPERAntiSpyware, then changed it to about:blank, then re-enabled it. That's at least one less thing to worry about.


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a LookUninstall.zip file. Save it to your desktop. Unzip it and double-click the LookUninstall.bat file and allow it to run. It will open up a report automatically in Notepad. Please copy and paste the contents here.


----------



## techkid (Sep 2, 2004)

The log file is way too massive to be pasted as text (248551 characters). I'll have to send it as an attachment.


----------



## Cookiegal (Aug 27, 2003)

Please run WinpFind3u again and post the log.


----------



## techkid (Sep 2, 2004)

Here is the WinPFind3U file. Hopefully a remnant of that MarketResearch can be found.


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and double click on the file to run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*MarketResearch*

Copy and paste the results here please.


----------



## techkid (Sep 2, 2004)

Here are the results of the scan. There's a couple of entries that seem worrying in there...

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "MarketResearch" 3/01/2008 8:15:41 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A7B226B5BF0603641BD11F122DB0CC6D]
"MarketResearch"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D]
"ProductName"="MarketResearch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D\SourceList]
"PackageName"="marketresearch.msi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D\SourceList\Media]
"MediaPackage"="\\setup\\MarketResearch\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\Install\{10E65ED7-1CE3-4422-896B-FA5055ABEB5E}]
"Filename"="D:\\setup\\MarketResearch\\MarketResearch.msi"

"MarketResearch"="k)[email protected]+y[c'C)_pt[.=.%pn9`32NcS*]}SqS^?CJ$S^Ah=fnng&[email protected],[email protected])gG}w+vS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A7B226B5BF0603641BD11F122DB0CC6D\InstallProperties]
"InstallSource"="D:\\setup\\MarketResearch\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A7B226B5BF0603641BD11F122DB0CC6D\InstallProperties]
"DisplayName"="MarketResearch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A7B226B5BF0603641BD11F122DB0CC6D\Usage]
"MarketResearch"=dword:36ef0082

[HKEY_USERS\S-1-5-21-3806293429-407118150-2358220067-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="MarketResearch"


----------



## Cookiegal (Aug 27, 2003)

Before we proceed, I'd like to see a few other keys to make sure there are no other entries beneath them.

I'm attaching a LookFeatures.zip file. Save it to your desktop. Extract the three files it contains: LookFeatures.bat, LookInstall.bat and LookProducts.bat. Double click-on each one and a report will open up in Notepad. Please copy and paste the reports for the three items in a reply.


----------



## techkid (Sep 2, 2004)

Here are the results of those scans. It's a positive step for finding the remains.

LookFeatures results:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\A7B226B5BF0603641BD11F122DB0CC6D]
"UpgradeInformationFeature"=""
"RegistryKeys"=""
"MarketResearch"=""
"MarsInfc"=""
_________________________

LookInstall results

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\Install\{10E65ED7-1CE3-4422-896B-FA5055ABEB5E}]
"RefCount"=dword:00000001
"Version"=dword:3500000d
"Version_STR"="53.0.1"
"Filename"="D:\\setup\\MarketResearch\\MarketResearch.msi"
"section"="MSI.Mars"
_________________________

LookProducts results

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D]
"ProductName"="MarketResearch"
"PackageCode"="6201C26A6F5A41E47892E89C884CAF59"
"Language"=dword:00000409
"Version"=dword:3500000d
"Assignment"=dword:00000001
"AdvertiseFlags"=dword:00000184
"InstanceType"=dword:00000000
"AuthorizedLUAApp"=dword:00000000
"Clients"=hex(7):3a,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D\SourceList]
"PackageName"="marketresearch.msi"
"LastUsedSource"=hex(2):6d,00,3b,00,31,00,3b,00,44,00,3a,00,5c,00,73,00,65,00,\
74,00,75,00,70,00,5c,00,4d,00,61,00,72,00,6b,00,65,00,74,00,52,00,65,00,73,\
00,65,00,61,00,72,00,63,00,68,00,5c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A7B226B5BF0603641BD11F122DB0CC6D\SourceList\Media]
"MediaPackage"="\\setup\\MarketResearch\\"
"DiskPrompt"="[1]"
"1"="CDB-AP-Express;1"


----------



## Cookiegal (Aug 27, 2003)

First, we need to backup your registry:

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know before doing anything else.

I'm attaching a Fixtechkid.zip file. Save it to your desktop. Unzip it and double-click the Fixtechkid.reg file and allow it to enter into the registry.

Reboot and let me know if MarketResearch still shows in the Add/Remove list in the Control Panel.


----------



## techkid (Sep 2, 2004)

Done and done...

MarketResearch has been removed from Add/Remove Programs. That bit of worry has been removed from the system, so it looks like it's almost ready to return to normal.

Thank you heaps through this ordeal.


----------



## Cookiegal (Aug 27, 2003)

Your profile says your in Australia but the O17 entries in your log says your IP is in San Francisco. Can you shed some light on this for me?


----------



## techkid (Sep 2, 2004)

You ask a very interesting question... Are these the O17 entries you are referring to?

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

My feet (and the little nubs at the base of the computer) are very firmly planted in Oz. I have checked into the Regional and Language options, and the Time Zone settings, and all are saying Australia. I honestly have absolutely no clue why it is registering that it is San Francisco .

Could it be some sort of malware by-product, or a particular of the owner's ISP (he has an ISP named Unwired. They use the signals and towers of mobile (or cell, for those Stateside) phones to connect to the Internet)?

Here is the LAN IP details when I'm connected through the Unwired system.


----------



## Cookiegal (Aug 27, 2003)

I would like to run this before doing anything else, just to be sure.

*Please print these instructions for reference, as you will have to restart your computer during the fix.*

Please download FixWareout from *Here* or *Here*.

*Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.*

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt).
Please post the C:\fixwareout\*report.txt* ), along with a new HijackThis log into this topic.


----------



## techkid (Sep 2, 2004)

Here are the two reports. I didn't see anything of any consequence in the FixWareout scan, though.

Username "Oem User" - 08/01/2008 14:35:20 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "System"="" 
....
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"VTTimer"="VTTimer.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
______________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:54 PM, on 8/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7214 bytes


----------



## Cookiegal (Aug 27, 2003)

I didn't expect to find anything but ran it as a precaution.

I found information posted by Miekiemoes, a well-known and highly respected malware fighter expert, about those particular O17 entries.

This is not an exact quote but much of the content is gleaned from one of her posts.

Those IPs belong to OpenDNS. Spybot S&D sets your DNS to OpenDNS when you have a DNS hijack.

Read here for more info what OpenDNS is: https://www.opendns.com/start

This means that Spybot S&D automatically modified your DNS settings in your Internet Protocol (TCP/IP) settings.

Read here how OpenDNS is manually set: http://www.opendns.com/start/windows_xp.php

If you don't want to use OpenDNS then fix those O17 entries in HijackThis. Otherwise, you can leave them as they are.


----------



## techkid (Sep 2, 2004)

So that's just Spybot - S&D's way of salvaging the DNS settings? Well, it doesn't seem to be causing any interference, but... no, I don't think I'll keep it there.

It's pretty refreshing to know that it's a fix attempt, and not a problem in itself.

Thank you for all your time and patience throughout this ordeal.

EDIT: I took out the O17 entries, and this is how my HJT log looks now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:52 PM, on 9/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unwired\UwSCT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7059 bytes


----------



## Cookiegal (Aug 27, 2003)

Fix this entry with HijackThis:

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank*

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

*IMPORTANT!: * You should go * here* and install all "Critical Updates and Service Packs. This will patch numerous security holes in IE and Windows. Otherwise, you are leaving your computer open and vulnerable.


----------



## techkid (Sep 2, 2004)

Done and done.

With System Restore flushed and Windows Updates all applied (the silly owner hadn't done it in a while, so I set it to Automatic download/install), and most importantly, with SpywareBlaster downloaded, installed, updated and applied full protection (might add that utility to my signature (if I've still got enough space to add it)), I have handed the machine back to the owner.

Hopefully it survives his usage habits. More importantly, hopefully 2 weeks without his computer has taught him to be more careful with his usage habits.

Thank you indefinitely, Cookiegal. And thank you for all your time, knowledge and patience. Hope the psychiatry bill isn't too high.


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

