# Solved: Cleaned All But Still Having Problems Please Help



## cubz (Mar 24, 2004)

*PLEASE HELP_ HJT LOG* Hello- 
I have been hijacked by about:blank - then my daughter tried to help by running HJT and tried deleted EVERYTHING today..I do not know how to correct her error's she did not save a log before she did this- i have one from yesterday still though.this is the new HJT log from her id- I have not checked the other id's which are also infected with HJT..I am in desperate need of help ..thank you
Logfile of HijackThis v1.99.0
Scan saved at 7:38:10 PM, on 02/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\mybutb.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [PyaWdUbG3] C:\WINDOWS\mybutb.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netyk32.exe (file missing)


----------



## Meangean (Apr 19, 2004)

You can just rush hijack this... and go to backups and restore the ones that you want or you can restore all of them and the people here will fix them again 

but i would wait till someone else responds


----------



## cubz (Mar 24, 2004)

how would I rush HJT? how do I restore the backup of the HJT log..


----------



## cubz (Mar 24, 2004)

my daughter tried to help remove about:blank issue (which I am also needing help with too) but ran HJT and checked off everything and deleted ..this is the log after she did this..I know I am missing alot of entries. Now I still have the hijacked problem and now receiving windows errors. I have backups but do not know how to restore them from HJT. Can someone please help with restoring and with my hijacked problem..thank you ..I am desperate..
Logfile of HijackThis v1.99.0
Scan saved at 8:20:43 PM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\mybutb.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [PyaWdUbG3] C:\WINDOWS\mybutb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netyk32.exe (file missing)


----------



## cybertech (Apr 16, 2002)

Merged two threads here asking for the same help. Please respond here.

Open HJT and click on view list of backups. You can restore from there.


----------



## cubz (Mar 24, 2004)

HI- 
I have run spybot/CWshredder/Adaware/about buster/spyware blaster( all newest versions) did everything in safe mode, then rebooted and went on to do trend Micro scan and all good- no pop-ups so far but have other issue's, The problem I can readily see is that the desktop has the icons but the background is black and has a message "warning your in danger-..secure yourself now". Can someone please please help me with this....I am baffled at this point as what to do next..here is the latest HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 7:28:51 PM, on 02/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hpha2mon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\HPHipm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kristie\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - Global Startup: startup.hta
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe


----------



## Flrman1 (Jul 26, 2002)

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.


Now you need to unzip (extract) Hijack This and move it to a permanent folder. It will not function properly when run from the zip folder or the Temp folder.

You need to create a new folder in My Documents and name it Hijack This. Right click on the HijackThis.zip file and choose "Extract all" and extract it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.

Rescan with HJT and post a new log after you have unzipped it to a permanent folder.


----------



## cubz (Mar 24, 2004)

Sorry took so long -ran the online scan from Panda to see if that would help:
I extract HJT and created new folder in C://Program Files/HijackThis/New folder and ran the scan..here is the new log..Don't know if this will help but my daughter tried to help when it was a bigger mess and mistakenly deleted everything in the HJT log ...so I don't know exactly how to undo what she did(it was on an older version of HJT not the one I downloaded recently) I'm just afraid to mess things up more...I really really appreciate your help with this.. 
new log:
Logfile of HijackThis v1.99.1
Scan saved at 8:49:14 PM, on 02/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hpha2mon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\HPHipm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHIS\HJT NEW\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

oh BTW the control Panel fix worked


----------



## Flrman1 (Jul 26, 2002)

cybertech said:


> Merged two threads here asking for the same help. Please respond here.
> 
> Open HJT and click on view list of backups. You can restore from there.


I have merged yet another new thread with the original thread.

Now please *DO NOT* keep starting new threads for this same problem. Make all posts regarding this matter in this thread.

Have you tried restoring the backups as Cybertech suggested?

Your daughter made a huge mistake by fixing everything in the log. Obviously there have been entries removed that were necessary. Those need to be restored.


----------



## cubz (Mar 24, 2004)

Sorry about the duplicate posts..will not do that again...
I was not sure how to restore the backups, then searched a little more and found backups but was unable to find the one for the day the entire list was deleted and the ones i see in there seem to have all the "garbage" that was causing problems..Is there something I am missing and not doing? For the items in the restore for HJT would I have to check each one in order to restore them? Should I just click on all of them and start over? I just don't want to make more of a mess than already is.....


----------



## Flrman1 (Jul 26, 2002)

Yes restore all of them and then restart your computer, scan again with Hijack This and post an other log.


----------



## cubz (Mar 24, 2004)

ok will do - thank you


----------



## cubz (Mar 24, 2004)

did restore --here is new HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 12:34:44 PM, on 02/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hpha2mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\HPHipm08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Kristie\My Documents\HJT 2\HijackThis.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DWHWIZRD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {20FA44E2-4117-97B3-21C4-ABFD27838805} - C:\WINDOWS\atlwu32.dll (file missing)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8E89AA21-A95A-5173-6D61-BCC74041EE55} - C:\WINDOWS\system32\ipbm32.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O2 - BHO: (no name) - {E3BCCA55-75E7-6990-81F7-0372DB33198A} - C:\WINDOWS\system32\mfcjq32.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [antiware] c:\windows\system32\elitenfp32.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [KDKLAJDgd] C:\WINDOWS\mybutb.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Kristie\LOCALS~1\Temp\28.tmp.exe 1 10001
O4 - HKLM\..\Run: [64.tmp.exe] C:\DOCUME~1\Rich\LOCALS~1\Temp\64.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Gbyqfd.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: sp2****ed.biz
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: awmdabest.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## cubz (Mar 24, 2004)

have to go out for a few hrs..be back after that..thank you


----------



## Flrman1 (Jul 26, 2002)

Go *here* and follow the directions to download and run the trial version of KAV 5 Personal with the extended database.

After you have done that, post the log from the KAV scan along with a new Hijack This log.


----------



## cubz (Mar 24, 2004)

since restoring, when I go to click on the link it does not go, just hangs and goes back to the original information...is there a way you could put the address in the log and I could copy and paste and see if that will work?


----------



## Flrman1 (Jul 26, 2002)

Download the Hoster from *here* . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Now try the link


----------



## cubz (Mar 24, 2004)

Never mindabout the address , I was able to save your link in IE favorites and then was able to get to the site..I downloaded and followed instructions in the link and I am going to run the scan now and then post the logs when done. 
IE is moving very slow between programs and get "not responding" msg's, is this from all the garbage on here?


----------



## Flrman1 (Jul 26, 2002)

Yes it is.


----------



## cubz (Mar 24, 2004)

Hi 
I was not able to get to the link- when I clicked on it would just hang and bring me back to the thread. Finally figured to try marking it as a favorite on IE and was able to get to it that way, downloaded as instructed with extended database, then tried to run it (in safe mode)and hung up a few times and finally went thru. booted out of safe mode,restarted, and tried to get to IE and it took so long to open, I was trying for 3hrs to get the log posted to no avail, I could get to this site but could not post because when I tried to sign in it took so long that I would not go thru and bring me back to the thread. Then I tried to log into Yahoo so I could cut and paste that way from work today and that was NG, could not log in, took too long. What can I do now? Should I run any of the scans, is there something else I could do? It was driving me crazy yesterday.... thank you


----------



## Flrman1 (Jul 26, 2002)

Did you get KAV to run and complete the scan?


----------



## cubz (Mar 24, 2004)

Yes I was able to get KAV to run and complete. Last night I was able to run the hoster, but when I would try to open anything, it still took a while, clicking on the start butoon or files would be quick but when tried to opn it was slow. I was able to get on IE and get to this site but trying to run the search to find the post took me a few hours due to the lag time trying to jump pages, then I tried to log into this site and it took too long and locked me out on the 1st try. Then I figured I could run the HJT and copy to a disk and send from work, but that didn't work either, HJT would not complete. It would show the log but I could not copy it or even save it. So after 3 1/2 very frustrating hours I had to stop.... What can I do at this point to get the HJT log posted here? any suggestions? I brought a disk to work incase there were any downloads I needed so I could copy them and bring home and try from the disk instead of waiting to connect to sites....


----------



## cubz (Mar 24, 2004)

was able to get on -barelyy and here is the HJT after KAV was run :
Logfile of HijackThis v1.99.1
Scan saved at 9:01:30 PM, on 02/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kristie\My Documents\NEW HJT feb 05\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {20FA44E2-4117-97B3-21C4-ABFD27838805} - C:\WINDOWS\atlwu32.dll (file missing)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8E89AA21-A95A-5173-6D61-BCC74041EE55} - C:\WINDOWS\system32\ipbm32.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O2 - BHO: (no name) - {E3BCCA55-75E7-6990-81F7-0372DB33198A} - C:\WINDOWS\system32\mfcjq32.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [antiware] c:\windows\system32\elitenfp32.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [KDKLAJDgd] C:\WINDOWS\mybutb.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Kristie\LOCALS~1\Temp\28.tmp.exe 1 10001
O4 - HKLM\..\Run: [64.tmp.exe] C:\DOCUME~1\Rich\LOCALS~1\Temp\64.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Gbyqfd.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: sp2****ed.biz
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: awmdabest.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

I also need to see the report from the KAV scan. Follow the directions at the same link you went to with the tutorial on how to configure KAV to find the report log. Attach that report to your next post here please.


----------



## cubz (Mar 24, 2004)

here is the KAV report..it's huge - had to zip it..followed the directions on KAV to save the log...hope I did it right.


----------



## Flrman1 (Jul 26, 2002)

That report doesn't show that it disenfected or deleted any of the files we need it to get. The only things that it deteceted were file that were in quarantines or backups in Adaware, Spybot and Norton etc...

Are you sure that you configured it correctly to use the extened database?

At any rate, you need to go back to the link I posted and make sure that you have it confugured exactly as shown there and run it again.

After it scans, post the new report from it and another HJT log.


----------



## cubz (Mar 24, 2004)

Will redo it...and repost tonight..Don't know what I did wrong, followed directions but will try again.. thanks ...is the log supposed to be that big?


----------



## Flrman1 (Jul 26, 2002)

Actually I expected that it might be bigger.


----------



## cubz (Mar 24, 2004)

Ok - I re-did everything. I followed the instructions exactly ..here is the new hjt and the new KAV...I hope this is ok now...After running,about 2 1/2 hrs, trying to open the internet takes such a long time and navigating is just as bad...Is it because there is still stuff that needs to be cleaned or is it from the deletion of all items in the HJT log that was done... I really appreciate your help with this.. 
Logfile of HijackThis v1.99.1
Scan saved at 11:17:44 AM, on 02/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Documents and Settings\Kristie\My Documents\HJT 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {20FA44E2-4117-97B3-21C4-ABFD27838805} - C:\WINDOWS\atlwu32.dll (file missing)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8E89AA21-A95A-5173-6D61-BCC74041EE55} - C:\WINDOWS\system32\ipbm32.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O2 - BHO: (no name) - {E3BCCA55-75E7-6990-81F7-0372DB33198A} - C:\WINDOWS\system32\mfcjq32.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [antiware] c:\windows\system32\elitenfp32.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [KDKLAJDgd] C:\WINDOWS\mybutb.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Kristie\LOCALS~1\Temp\28.tmp.exe 1 10001
O4 - HKLM\..\Run: [64.tmp.exe] C:\DOCUME~1\Rich\LOCALS~1\Temp\64.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: sp2****ed.biz
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: awmdabest.com (HKLM)
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gsyxc.dll/sp.html#14044

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O2 - BHO: (no name) - {20FA44E2-4117-97B3-21C4-ABFD27838805} - C:\WINDOWS\atlwu32.dll (file missing)

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

O2 - BHO: (no name) - {8E89AA21-A95A-5173-6D61-BCC74041EE55} - C:\WINDOWS\system32\ipbm32.dll (file missing)

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)

O2 - BHO: (no name) - {E3BCCA55-75E7-6990-81F7-0372DB33198A} - C:\WINDOWS\system32\mfcjq32.dll (file missing)

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [antiware] c:\windows\system32\elitenfp32.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [KDKLAJDgd] C:\WINDOWS\mybutb.exe

O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe

O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Kristie\LOCALS~1\Temp\28.tmp.exe 1 10001

O4 - HKLM\..\Run: [64.tmp.exe] C:\DOCUME~1\Rich\LOCALS~1\Temp\64.tmp.exe 0 10001

O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab*

Restart to safe mode.

*How to start your computer in safe mode*

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\*mybutb.exe*
C:\WINDOWS\System32\*dddd.exe*
C:\WINDOWS\System32\*tibs5.exe*
c:\windows\system32\*elitenfp32.exe*

Delete these folders:

C:\WINDOWS\*isrvs*
C:\Program Files\*ISTsvc*
c:\program files\*180solutions*
C:\Program Files\Common Files\*tsa*

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


----------



## cubz (Mar 24, 2004)

ok will do and re-post hjt--thank you


----------



## cubz (Mar 24, 2004)

HI -sorry it has taken so long- it has taken me since early afternoon till now to get this posted after doing everythng. I did everything instructed but could not find the files or folders- none were there..I even tried a search in case I missed it, but they were not there. I still cannot open a program or the internet without taking an extremely long time and it just hangs. NAV, MSOffice tool bar & I'm sure other things do not automatically start. Found that the printer is not there anymore and when I try to right click on a program it still takes such a long time ..
I was able to do the TrendMicro scan and it found 2 virus's- Troj golid.m and Troj secondt.a both listed in the c/system volume information/_retore b37680b2-baoa-4e5d-bf30-83e440588...I found the folder but would not let me delete. I did delete the file on Trend Micro. 
I am at a loss at this point as to what is wrong. The only way I can do anything is in safe mode....Is there anything else I need to do? I see the HJT log still has the "trusted zone" entries, how come they did not get removed, is there something that needs to be removed still? I did not set a restore point at this time as it is still not working right... 

Logfile of HijackThis v1.99.1
Scan saved at 9:18:12 PM, on 02/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: c4tdownload.com
O15 - Trusted IP range: megapornix.com
O15 - Trusted IP range: crazywinnings.com
O15 - Trusted IP range: finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: private-dialer.biz
O15 - Trusted IP range: sp2admin.biz
O15 - Trusted IP range: admin2cash.biz
O15 - Trusted IP range: frame.crazywinnings.com
O15 - Trusted IP range: windupdates.com
O15 - Trusted IP range: overpro.com
O15 - Trusted IP range: sp2****ed.biz
O15 - Trusted IP range: private-iframe.biz
O15 - Trusted IP range: awmdabest.com
O15 - Trusted IP range: iframe.biz
O15 - Trusted IP range: newiframe.biz
O15 - Trusted IP range: addictivetechnologies.com
O15 - Trusted IP range: bettersearch.biz
O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

Download DelDomains.inf from *here*.

Rightclick DelDomains.inf and choose install.

Reboot and post another log please.


----------



## cubz (Mar 24, 2004)

ok will do tonight and post another log


----------



## cubz (Mar 24, 2004)

Did as instructed - took awhile then tried to run HJT in normal mode and it hung up-The programs are still very slow...when I was able to get the task manager up there were 2 executables that I do not recognize- do you know if they should be here -they were dwwin.exe and DUMPREP.exe . There were also 4 svchost.exe files listed one was in local service and the other 3 were in System, should there be that many running? Again - thank you very much for your help with this mess..
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:36:10 PM, on 02/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

Fix this one:

*O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe*

Make sure the C:\Program Files\Common Files\*tsa* folder has been deleted.

Do a file search for *explorer.exe* and let me know exactly what you find and where.

Also I am attaching a peek.zip file to this post. Download the peek.zip file and unzip it to your desktop. Run the peek.bat file. It will produce a peek1.txt file. Copy and paste peek1.txt here in your next reply.


----------



## cubz (Mar 24, 2004)

ok will try it --thanks


----------



## cubz (Mar 24, 2004)

Was able to download and unzip and run the peek file. Deleted that TSA entry from HJT and was unable to find the TSA folder and ran a search for it and did not find it.....here is the PEEK log..

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout	REG_SZ	15
GDIProcessHandleQuota	REG_DWORD	0x2710
Spooler	REG_SZ	yes
swapdisk	REG_SZ	
TransmissionRetryTimeout	REG_SZ	90
USERProcessHandleQuota	REG_DWORD	0x2710
AppInit_DLLs	REG_SZ

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions	REG_SZ	2048
Documents	REG_SZ	
DosPrint	REG_SZ	no
load	REG_SZ	
NetMessage	REG_SZ	no
NullPort	REG_SZ	None
Programs	REG_SZ	com exe bat pif cmd
Device	REG_SZ	hp photosmart 1215 series,winspool,LPT1:

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR	REG_DWORD	0x1
CreateFirstRunRp	REG_DWORD	0x1
DSMin	REG_DWORD	0xc8
DSMax	REG_DWORD	0x190
RPSessionInterval	REG_DWORD	0x0
RPGlobalInterval	REG_DWORD	0x15180
RPLifeInterval	REG_DWORD	0x76a700
CompressionBurst	REG_DWORD	0x3c
TimerInterval	REG_DWORD	0x78
DiskPercent	REG_DWORD	0xc
ThawInterval	REG_DWORD	0x384
RestoreDiskSpaceError	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify	REG_DWORD	0x1
UpdatesDisableNotify	REG_DWORD	0x1
AntiVirusDisableNotify	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify	REG_DWORD	0x1
UpdatesDisableNotify	REG_DWORD	0x1
AntiVirusDisableNotify	REG_DWORD	0x1

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}
<NO NAME>	REG_SZ	MimeFilter

HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}\InprocServer32

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238fb-c706-4791-8674-4d429f85897e}
<NO NAME>	REG_SZ	MimeFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238fb-c706-4791-8674-4d429f85897e}\InprocServer32

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\mfiltis
Date	REG_SZ	2/19/2005
Excl	REG_SZ	
Sites	REG_SZ

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot
NextInstance	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot\0000

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot
Type	REG_DWORD	0x1
Start	REG_DWORD	0x1
ErrorControl	REG_DWORD	0x1
ImagePath	REG_EXPAND_SZ	\SystemRoot\system32\drivers\delprot.sys
DisplayName	REG_SZ	delprot

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot\Security

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot\Enum

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
Version	REG_SZ	5,0,3809,0
Locale	REG_SZ	EN
StubPath	REG_SZ	C:\WINDOWS\System32\soft.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
<NO NAME>	REG_SZ	Microsoft VM
ComponentID	REG_SZ	JAVAVM
IsInstalled	REG_BINARY	01000000
Locale	REG_SZ	EN
KeyFileName	REG_SZ	C:\WINDOWS\System32\msjava.dll
Version	REG_SZ	5,0,3809,0
StubPath	REG_SZ	C:\WINDOWS\System32\soft.exe


----------



## Flrman1 (Jul 26, 2002)

Before we do anything else, let me ask if anything has improved yet, I'm thinking that you may be better off to start backing up your data and reformat. This thing cuases a lot of damage and I'm not so sure that you weren't abotu due for that before you got infected.


----------



## cubz (Mar 24, 2004)

One of the days it did get better, maybe 5 minutes to open a program butlast night it was bad again. Taking a long time to open and then HJT would not complete. One thing I did notice was that I received a windows error msg that a HJT was not responding when I tried to close it. That I haven't seen till last night. It still takes a long time to open anything. Everything seems to work fine in safe mode. Was it a virus that did this? If so which one? How would I go about backing up stuff??


----------



## Flrman1 (Jul 26, 2002)

The virus you have is one of the variants of Bube.d aka Win32.Beavis. There is info about it at the link I gave you before to the tutorial on how to download and configure KAV.

Do you have a CD burner?


----------



## cubz (Mar 24, 2004)

yes I do ... will check the info there...so what's next? I take it that I am at a point of no fixing...oh wait a thought - I've been trying all of this under 1 of the id's--shoud I try logging on one of the other id's and try what we have already, or will it not make a difference? Just a thought


----------



## Flrman1 (Jul 26, 2002)

Not really. I honestly belive you need to start burning all the data you want to save to CD and reformat this sucker.

How big is your hard drive?


----------



## cubz (Mar 24, 2004)

Wanted to ask you, last July you had helped me with similar situation and I know I created a restore point then as you had suggested, do you think if I restored from there(if that is not lost) it would help or is it too late? 
I do not remember off hand(not at home right now) I know I still had alot of room left... I'll check when I get home and let you know. When I copy the data should it be done in safe mode? Other than usual files of documents/music/pictures/ do I need to copy any particular programs? When I bought the pc everything was already on it and was set up so I could go wireless, is this information going to be lost? I have the disks that came with the pc and I am going thru them to see what's there. One thing I did notice is that there was no WinXP CD, I saw one with drivers and such but not one that said WinXP, am I in trouble at this point if I do not have it? Well I'll check the hd size and get back to you later with it. I really do appreciate all your help.


----------



## cubz (Mar 24, 2004)

the hard drive is 120gb


----------



## Flrman1 (Jul 26, 2002)

That restore point is long gone.

Your CD durner will not work in safe mode.

You only have to get all your pictures and files etc.. Backup your favorites, emails and addressbook too.


----------



## cubz (Mar 24, 2004)

while waiting I tried the KAV on another id-mine- was able to get the update/extended database and ran it. My desktop is now filling faster, I can navigate better in C: it now shows the camera and printer mem card icon, the windows msg icon is in the trayon the bottom right corner. But, if I try to run HJT(wanted to get another sanpshot for you) it stops half thru it- not responding and have to end task it 10x'xs then it closes, and while trying that I can open or move about with a little lag in opening something. I zipped up the KAV log and attached it,(I didn't know if it would show you anything different). Maybe it does, maybe not, I figured it was worth a shot. 
I went thru the information I received with the PC and do have the WinXP disk and everything else. I will start copying tomorrow(time did not allow this weekend) I ran HJT in safe mode and copied the log below, again, not sure if it helps with anything but here it is...
Thank you..
Logfile of HijackThis v1.99.1
Scan saved at 9:13:26 PM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

Download DelDomains.inf from *here*.

Rightclick DelDomains.inf and choose install.

Reboot and post another log please.


----------



## cubz (Mar 24, 2004)

did and here is the new HJT :
started to run ok then when rebooted after the install it ran slow again.

Logfile of HijackThis v1.99.1
Scan saved at 8:45:37 PM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hpha2mon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\HPHipm08.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [SpySubtractInst_0] regsvr32 /s "c:\Program Files\interMute\SpySubtract\ssengine.dll"
O4 - HKLM\..\RunOnce: [SpySubtractInst_1] regsvr32 /s "c:\Program Files\interMute\SpySubtract\sshook.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {706450EA-1140-4607-A328-AC4825545BAC} (RESITESimDisplay.DisplayScreen) - http://www.insiteobjects.com/RESITESimDisplay.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## Flrman1 (Jul 26, 2002)

The log looks OK now. I guess you need to use the machine for a while and see what else may be malfunctioning. There are so mny side affects from this infection that I can't remember them all.

One that I do remember is a problem with Windows Update. Is it working?

How long has it been since you last reformated this box anyway?


----------



## cubz (Mar 24, 2004)

well I never reformatted it since getting it..will try the windows update tonight and see what happens(still at work) and let you know. I haven't checked the other id's yet either so I'll do that to and let you know..


----------



## Flrman1 (Jul 26, 2002)

How long have you had the computer?


----------



## cubz (Mar 24, 2004)

sorry took so long to get back to you...Think it is three yrs old now.., why? should I be doing something with it? 
I tried logging on again and it is back to being slow..one thing that I noticed on another id is that a "my computer" window keeps popping up on the bottom out of nowwhere. I tried to copybackup a picture folder to a disk and it too like 2 hrs, so that ate up one of the nights and tryng to get online still takes awhile...I'm going to try backing up some more stuff and see how it goes..now I have some more time to work with this. Anything else i should/need to do?


----------



## Flrman1 (Jul 26, 2002)

If your computer is 3 yrs old and you haven't reformatted the hard drive and reinstalled XP, you're way past due.


----------



## cubz (Mar 24, 2004)

How often should that be done? I'm still trying to do the backups- running slow still


----------



## Flrman1 (Jul 26, 2002)

Typically with XP, it needs to be done after about 1 1/2 to 2 yrs, but there are a lot of variables there and there are those that do manage to go longer.


----------



## cubz (Mar 24, 2004)

really, never knew..almost done with the backups, probably by tomorrow at this pace - I'm lucky -I don't have too much on here..anything else I should do in the mean time?


----------



## Flrman1 (Jul 26, 2002)

Not that I can think of.

Do you know how to backup your favorites and Addressbook?


----------



## cubz (Mar 24, 2004)

I didn't have to backup the address book- I don't use Outlook..I copied all files to disc and did the same with the favorites. I found the folder with the favorites and wrote them to a disc. Is that ok? Will they work then? I zipped the pictures then copied them to disc. I'm glad I didn't have much to copy. It's taken me all day to finish. If what I did is ok, then what is my next step? I have the disc's that came with the PC- the application disc, drivers and utilites and the XP disc...what do I do next?


----------



## Flrman1 (Jul 26, 2002)

The best way to back up your favarites is open IE and go to File > Import and Export. Choose "Export Favorites". It's self explanatory from there. This exports your favorites to a bookmarks.htm file. After you have reformated you can then simply restore your favorites by going through the same process you used to export them, but using "Import" this time.

Check this out for an excellent guide to formating and reinstalling XP:

XP Home:

http://www.blackviper.com/Articles/OS/InstallXPHome/installxphome1.htm

XP Pro:

http://www.blackviper.com/Articles/OS/InstallXPPro/installxppro1.htm


----------



## cubz (Mar 24, 2004)

Will do and I checked the link and the information is good...now it's trying to find time at night to do this...I will let you know what happens.


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## cubz (Mar 24, 2004)

I did it- reinstalled XP and up and running- anything else I should do?


----------



## Flrman1 (Jul 26, 2002)

Make sure you get all Critical Updates and Service packs from Windows Update and keep a good antivirus and firewall.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## cubz (Mar 24, 2004)

Wiil do thank you very much for your help.. do you it wise that I update with windows SP2?


----------



## Flrman1 (Jul 26, 2002)

Yes.


----------



## cubz (Mar 24, 2004)

HI - I'm back- 
Before I was able to finish loading all protection)antivirus-spywareguard etc.) my husband and son decided it would be ok to use the computer again..yep you guessed it now i have the about:blank again and the anit-virus found the Win32.Startpage virus and there was also a Bloodhound..virus. It said it was cleaned/deleted then said it was not able to .. Could you please take a look at this HJT log for me and help me again..I am sorry about this after all you have done to help me.... I am ready to rip my hair out!!

Logfile of HijackThis v1.99.1
Scan saved at 7:27:58 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\audissrp.exe
C:\WINDOWS\System32\fixmapirs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {08D96FA4-EF39-4EF1-8439-3F3E285D5530} - C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Name - {6BA6A099-3211-41C9-8470-27F04E823416} - C:\WINDOWS\System32\msavh.dll
O2 - BHO: Name - {E6331692-84CA-47E3-97D2-F84A0C7D52F8} - C:\WINDOWS\System32\msavh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\docntrop.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\RunOnce: [dwhrm.exe] dwhrm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.197,195.225.176.31
O18 - Filter: text/html - {65AD6939-5035-49E1-8771-A660339D1608} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {65AD6939-5035-49E1-8771-A660339D1608} - C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download DLLCompare.exe.

Save it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the *Compare* button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the *Make a Log of what was Found* button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

Copy the contents of the quote box to Notepad. 
Name the file Appinit.bat 
Save as type All Files 
Save on the Desktop.



> Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
> ren windows1.hiv windows.txt


Double click on Appinit.bat 
This will create a file on the desktop named windows.txt 
*Attach the windows.txt file here to your next post please. Don't copy and paste it.*
----------------

Which version of XP are you running? Pro or Home? 
Also which file system? FAT32 or NTFS? Check the properties of the C Drive in my computer to get the file system.


----------



## cubz (Mar 24, 2004)

ok saved the files - now do you want this to be done in safe mode? 
I am running Win XP home edition- File system NTFS


----------



## Flrman1 (Jul 26, 2002)

Do it in normal mode.


----------



## cubz (Mar 24, 2004)

did it - in normal mode
contents of the log below and attached the windows.txt file 

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

2,854 items found: 2,854 files, 0 directories.
Total of file sizes: 536,500,703 bytes 511.64 M

Administrator Account = True

--------------------End log---------------------


----------



## Flrman1 (Jul 26, 2002)

Dang if you don'y have some rough luck with this computer. I just noticed these in your log:

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.197,195.225.176.31

You have an NT Rootkit trojan now. Another real pain in the a$$ to remove! 

*Click here* to download multi.zip.

Unzip (extract) the folder it contains to a convenient place. That folder is named *multi*.

Close all but one Internet Explorer Window.

Open the multi folder and double click on *multi.bat*

This will produce and open a file named log.txt
Copy the contents into your next reply. If it is too long, then attach it instead.

----------------------

Download Rootkitreveal written by Sysinternals.
http://www.sysinternals.com/files/rootkitrevealer.zip

Extract rootkitreveal
Double click on rootkit revealer and press scan.
It will take some time to do a complete scan. When finished press file/save and attach the log please. It is rather long and so please do attach rather than post it.

---------------------

Click here to download pskill.zip by Sysinternals.

http://www.sysinternals.com/files/pskill.zip

Extract pskill.exe to your system32 folder. It is a zip and pskill.exe must be extracted to system32 so we can use it later. 
-------------

Download this zip:
http://forums.techguy.org/attachment.php?attachmentid=50682

Create a folder on the desktop. Name it *get bhos*. Extract the contents of the zip to that folder.

This contains a simple batch file named:
*Get Bho Hive.bat*

Double click on Get Bho Hive.bat

It will produce a file named Bho.txt in that same folder. Don't copy and paste. This is a Binary file and will not only look odd, but also it will cause a huge scroll on this page making it hard to read.

Attach bho.txt into your next reply here.


----------



## cubz (Mar 24, 2004)

aaah man!! No way !
I wasn't ableto do this last night - but will try it later and see what happens..
my luck has NOT been good at all this year... 
Thanks again for your help...


----------



## Flrman1 (Jul 26, 2002)

Let me know when you're ready.


----------



## cubz (Mar 24, 2004)

ok downloaded unzipped everything to where you specified..
I attached the log.txt ..now I'm going t do rootkitreveal scan and be back ok..
anything else in the mean time?


----------



## cubz (Mar 24, 2004)

ok did all requested
i attached the files..
When I did the scan it was done relatively quick...I did it exactly as you said..is there something I may have done incorrectly? 
Was I supposed to do this in safe mode? The files look small...


----------



## Flrman1 (Jul 26, 2002)

You didn't post the rootkitreveal log. I need to see that too.


----------



## cubz (Mar 24, 2004)

I did post but it was on the one before the last one but I attached it here again..
Anything else ...


----------



## Flrman1 (Jul 26, 2002)

That's not the rootkitreveal log. That's the log from multi.bat.

Download Rootkitreveal written by Sysinternals.
http://www.sysinternals.com/files/rootkitrevealer.zip

Extract rootkitreveal
Double click on rootkit revealer and press scan.
It will take some time to do a complete scan. When finished press file/save and attach the log please. It is rather long and so please do attach rather than post it.


----------



## cubz (Mar 24, 2004)

Sorry -posted wrong one-
I ran the scan- it did not take long and I attached the log..


----------



## Flrman1 (Jul 26, 2002)

Sorry I didn't get back to you sooner, but I've been sick with the flu all week.

Please post new logs from all of the following:

Hijack This
multi.bat
Rootkitreveal 
Get Bho Hive.bat

I'm posting this here for my reference:

{53707962-6F74-2D53-2644-206D7942484F}


----------



## cubz (Mar 24, 2004)

Sorry you were sick, that must've really knocked you out ..Hope you are feeling better....Here are the new logs- I am staying off the PC as much as possible so nothing else goes wrong, except to check here. I didn't update to SP2 yet either..
HJT-
Logfile of HijackThis v1.99.1
Scan saved at 4:07:26 PM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {B93AFF8F-8ADC-177F-FE16-79B99937899D} - control64.dll (file missing)
O2 - BHO: (no name) - {08D96FA4-EF39-4EF1-8439-3F3E285D5530} - C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {6BA6A099-3211-41C9-8470-27F04E823416} - C:\WINDOWS\System32\msavh.dll (file missing)
O2 - BHO: Name - {E6331692-84CA-47E3-97D2-F84A0C7D52F8} - C:\WINDOWS\System32\msavh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\docntrop.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NsCplTray] TemplateDongle.exe
O4 - HKLM\..\Run: [media64] dePloy.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [backorif] AliceSD.exe
O4 - HKCU\..\Run: [xsetup] NopeZ.exe
O4 - HKCU\..\Run: [Shaitan1678] SpyElim.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.197,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.197,195.225.176.31
O18 - Filter: text/html - {65AD6939-5035-49E1-8771-A660339D1608} - C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {65AD6939-5035-49E1-8771-A660339D1608} - C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

Please run Multi.bat again and post a new log from it. This time make sure you have at leat on IE window open when you run it.


----------



## cubz (Mar 24, 2004)

I attached it- had one ie window open-


----------



## cubz (Mar 24, 2004)

Did you get to check the last log i posted? Is there anything I should do? It's getting worse..


----------



## Flrman1 (Jul 26, 2002)

I'm sorry. I didn't get notification of your last reply. Please post all those logs again so we can be sure nothing has changed.


----------



## cubz (Mar 24, 2004)

ok did them again - and it seems to have gotten worse. There is alot of porn stuff and other garbage now all over..new hjt- oh and when I shut pc down it omes up the Win Min is not responding- what is that? 
I think i attached everything you need. If there is anything else let me know.. thank you. Feeling better from the flu?

Logfile of HijackThis v1.99.1
Scan saved at 11:02:55 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\zhelp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\dmsadmins.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe
C:\WINDOWS\System32\cithlper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-everything.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {B93AFF8F-8ADC-177F-FE16-79B99937899D} - control64.dll (file missing)
O2 - BHO: IE SP2 AddOn - {08CDEF49-7553-4440-93E6-3FB4B2F24441} - C:\WINDOWS\System32\spiov.dll
O2 - BHO: ActiveX Control - {124B39A2-9003-43B9-A71B-3F1903A7380E} - C:\WINDOWS\System32\mskpt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {6BA6A099-3211-41C9-8470-27F04E823416} - C:\WINDOWS\System32\msavh.dll (file missing)
O2 - BHO: Name - {E6331692-84CA-47E3-97D2-F84A0C7D52F8} - C:\WINDOWS\System32\msavh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\docntrop.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NsCplTray] TemplateDongle.exe
O4 - HKLM\..\Run: [media64] dePloy.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] C:\Program Files\WareOut\WareOut.exe
O4 - HKCU\..\Run: [backorif] AliceSD.exe
O4 - HKCU\..\Run: [xsetup] NopeZ.exe
O4 - HKCU\..\Run: [Shaitan1678] SpyElim.exe
O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

I would like to try removing this using the Recovery Console. Do you have a XP installation disk?


----------



## cubz (Mar 24, 2004)

yes I do -- is it that bad? my luck better turn around soon -this is driving me nuts


----------



## Flrman1 (Jul 26, 2002)

put it in the cd drive and go to Start > Run. Copy and paste the text in the quote box in the Run box: 


> d:\i386\winnt32.exe /cmdcons


 Change d if necessary to the correct letter of your cd rom drive.

This will install the Recovery Console. When it is finished installing restart your computer and verify that you now have the option to boot to RC.

Let me know when you have it installed.


----------



## cubz (Mar 24, 2004)

Thanks -Will do - I printed the directions and will give it a go tomorrow- I'll have more time to work onit. Is there anything I need to backup or anything?


----------



## Flrman1 (Jul 26, 2002)

It's always a good idea to do regular backups and that is even more important when dealing with something like this.


----------



## cubz (Mar 24, 2004)

Loaded RC-- then restarted and the option for RC was there. What's next?


----------



## cubz (Mar 24, 2004)

did it- I have the RC option on boot up- next??


----------



## Flrman1 (Jul 26, 2002)

Sorry man. I've had to do a lot of research on this and I've been so busy it took a while.

Please post a new Hijack This log and we'll get on with this.


----------



## cubz (Mar 24, 2004)

No problem - wasn't sure if you received the last note- was getting windows errors.. will post the new HJT tonight - thank you for all your help and time


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## cubz (Mar 24, 2004)

hi here is the HJT log requested..BTW- it is still getting worse- was not able to open IE- ran CWshredder and found something and was able to get on..
Logfile of HijackThis v1.99.1
Scan saved at 7:16:56 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\zhelp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-everything.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {B93AFF8F-8ADC-177F-FE16-79B99937899D} - control64.dll (file missing)
O2 - BHO: IE SP2 AddOn - {08CDEF49-7553-4440-93E6-3FB4B2F24441} - C:\WINDOWS\System32\spiov.dll
O2 - BHO: ActiveX Control - {124B39A2-9003-43B9-A71B-3F1903A7380E} - C:\WINDOWS\System32\mskpt.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {6BA6A099-3211-41C9-8470-27F04E823416} - C:\WINDOWS\System32\msavh.dll (file missing)
O2 - BHO: Name - {E6331692-84CA-47E3-97D2-F84A0C7D52F8} - C:\WINDOWS\System32\msavh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\docntrop.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NsCplTray] TemplateDongle.exe
O4 - HKLM\..\Run: [media64] dePloy.exe
O4 - HKLM\..\Run: [EXE32EXE] sysconf16.exe
O4 - HKLM\..\Run: [AppMasterCenter] WhatsNewBot.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] C:\Program Files\WareOut\WareOut.exe
O4 - HKCU\..\Run: [backorif] AliceSD.exe
O4 - HKCU\..\Run: [xsetup] NopeZ.exe
O4 - HKCU\..\Run: [Shaitan1678] SpyElim.exe
O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

Go *here* to download and install CCleaner 
Do not use it yet.

*Click here* to download remv3.zip. 
Save the zip file then unzip the files to their own permanent folder.

Download DelDomains.inf from *here*.

Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

*Click here* for info on how to boot to safe mode if you don't already know how.

*After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-everything.com/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - {B93AFF8F-8ADC-177F-FE16-79B99937899D} - control64.dll (file missing)

O2 - BHO: IE SP2 AddOn - {08CDEF49-7553-4440-93E6-3FB4B2F24441} - C:\WINDOWS\System32\spiov.dll

O2 - BHO: ActiveX Control - {124B39A2-9003-43B9-A71B-3F1903A7380E} - C:\WINDOWS\System32\mskpt.dll (file missing)

O2 - BHO: Name - {6BA6A099-3211-41C9-8470-27F04E823416} - C:\WINDOWS\System32\msavh.dll (file missing)

O2 - BHO: Name - {E6331692-84CA-47E3-97D2-F84A0C7D52F8} - C:\WINDOWS\System32\msavh.dll (file missing)

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\docntrop.dll (file missing)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll

O4 - HKLM\..\Run: [NsCplTray] TemplateDongle.exe

O4 - HKLM\..\Run: [media64] dePloy.exe

O4 - HKLM\..\Run: [EXE32EXE] sysconf16.exe

O4 - HKLM\..\Run: [AppMasterCenter] WhatsNewBot.exe

O4 - HKCU\..\Run: [WareOut] C:\Program Files\WareOut\WareOut.exe

O4 - HKCU\..\Run: [backorif] AliceSD.exe

O4 - HKCU\..\Run: [xsetup] NopeZ.exe

O4 - HKCU\..\Run: [Shaitan1678] SpyElim.exe

O4 - HKCU\..\Run: [zhelp] C:\WINDOWS\zhelp.exe

O15 - Trusted Zone: http://*.63.219.181.7

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1C2BED9-694D-4CD0-9916-04FF35349AD8}: NameServer = 69.50.176.156,195.225.176.31

O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F0F210-3EE6-482F-A1F7-2BBF610109CE}: NameServer = 69.50.176.156,195.225.176.31*

Restart to safe mode.

*How to start your computer in safe mode*

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\*zhelp.exe*
C:\WINDOWS\System32\*spiov.dll*
C:\WINDOWS\System32\*ie2cltr.dll
TemplateDongle.exe
dePloy.exe
sysconf16.exe
WhatsNewBot.exe
AliceSD.exe
NopeZ.exe
SpyElim.exe*

Delete this folder:

C:\Program Files\*WareOut

** Double click on remv3.bat to run it. Wait till the dos window closes. !!Don't forget this step!!*

** Now *run CWShredder* Click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

** Start Ccleaner and click *Run Cleaner*

** Rightclick DelDomains.inf and choose install.

** Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

** Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

- Double-click the Network Connections icon.

- Right-click the Local Area Connection icon and select Properties.

- Hilight Internet Protocol (TCP/IP) and click the Properties button.

- Be sure "Obtain DNS server address automatically' is selected. OK your way out.

** Reboot back to normal mode.

Look on your C:\ and you will find a .txt file with the name: log.txt 
Post the contents from that log along with a fresh Hijack This log.


----------



## cubz (Mar 24, 2004)

did all as instructed- everything worked - i just could not find the exe. files you had listed anywhere(the TemplateDongle.exe.etc)
new hjt log
Logfile of HijackThis v1.99.1
Scan saved at 4:10:11 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

*Click Here* and download the the new version of Killbox and save it to your desktop.

Fix this with Hijack This:

*O15 - Trusted Zone: http://*.63.219.181.7*

Double-click on Killbox.exe to run it. Now put a tick by *Delete on Reboot*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No.

*C:\WINDOWS\system32\hdlns.dll

C:\WINDOWS\system32\hdttc.dll*

Exit the Killbox.

** Rightclick DelDomains.inf and choose install

Go to Start > Run and type in *cmd*. Click OK,

This will open a command shell. In the command window Copy and Paste the following command:

*ipconfig /flushdns*

Hit Enter

Now *restart your computer*

Killbox creates backups of the files it remove in a C:\!Submit folder. Go to the forum *here* and upload the files found in the C:\!Submit folder.

Here are the directions for uploading the files:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.


----------



## cubz (Mar 24, 2004)

Should I do this in safe mode or not?


----------



## Flrman1 (Jul 26, 2002)

No it doesn't have to be done in safe mode.


----------



## cubz (Mar 24, 2004)

Ok - I did it- exactly what you had posted- cut & pasted..followed it to the letter and there was no folder/log created for C:\!Submit. I checked in Killbox for the file to make sure I was not missing it but it said none was created. After I did the cmd- said it was successful. I tried it twice to make sure I didn't miss anything and received the same results.after each restart. What do I do now? Does it mean that those dll's were not present and it is something else?..How frustrated you must be with this..I know I am...


----------



## Flrman1 (Jul 26, 2002)

Post another Hijack This log please.


----------



## dvk01 (Dec 14, 2002)

Killbox only makes the backups in standard file delete mode, not in delete on reboot mode so you haven't done anything wrong


----------



## Flrman1 (Jul 26, 2002)

Thanks Derek. I don't know how I never knew that. 

Seems to me it should do backups for the delete on reboot too.


----------



## cubz (Mar 24, 2004)

I knew I should've included the new HJT last post- anyway-here it is:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:48 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

Fix this:

*O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)*

Restart.

Go here and do an online virus scan.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.


----------



## cubz (Mar 24, 2004)

Did it- housecall found a couple and I deleted them. At the same time my Antivirus fiund but did not delete/clean /quarrantine was the Win32.Silly.DI.AE - this is the information on it:
File =V3OCFHa02412
Location=C:\DOCUME~1\Rich\LOCALS~1\Temp

I tried to find it but couldn't. I deleted or tried to delete all the temp files and
it would not delete 2 of them, said they were in use by another person/program...
I just checked the AV log and it showed that it deleted the Win32.Silly file earlier today when someone was on it today-without my knowledge  - then when it just ran, it does not show it was deleted..

Not sure if any of this helps but figured it cannot hurt.. 
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:33:17 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

The log looks fine now. Boot to safe mode and run Ccleaner.


----------



## cubz (Mar 24, 2004)

Ran CCleaner in safe mode- new HJT...What's next? 
Logfile of HijackThis v1.99.1
Scan saved at 1:41:14 PM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


----------



## Flrman1 (Jul 26, 2002)

The log is clean. How is everything running?


----------



## cubz (Mar 24, 2004)

seems ok- i don't hear the pc itself making any noise- it just hums.. haven't had any issue's yet..Is it ok to do the windows updates and SP2 now?


----------



## Flrman1 (Jul 26, 2002)

Before you install SP2 there is some other prelim work you should do like making sure you have updated drivers etc... What kind of computer is this? Is it a HP, Dell or custom rig?


----------



## cubz (Mar 24, 2004)

It's a Dell Dimension 8250-anything else you need to know?


----------



## cubz (Mar 24, 2004)

It is a dell Dimension 8250- anything else needed? I also received a Windows error that HPhmon03.exe had a problem and needed to close. Do you know what this is for? Is something else wrong now?


----------



## Flrman1 (Jul 26, 2002)

Fix this with Hijack This:

*O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe*

Restart.


----------



## Flrman1 (Jul 26, 2002)

Check this out to prep your pc for SP2:

http://support.dell.com/support/top...cument?c=us&cs=19&DN=1089836&l=en&s=dhs#step4


----------



## cubz (Mar 24, 2004)

I ran HJT and was going to delete what you said but I noticed that it has the following in the log: "C:\WINDOWS\System32\HPHipm09.exe" Should this be there or is it somethiing that needs to be removed also? I wanted to check before I did anything. Also, when I started up this time it had a different Windows error "HPhipmon9.exe" was not responding, and the screen is shakey. Does this have anything to do with the error? I posted another HJT just to be on the safe side. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:01:49 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ActiveX Control - {C28678EC-D1DA-4A3F-AB87-ECAEE8C017EE} - C:\WINDOWS\System32\mskpt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Both hphmon03.exe and HPHipm09.exe are related to your HP printer. I know that the hphmon03.exe does not need to be running at startup, but the HPHipm09.exe seemd to be required for proper functioning of HP Photosmart printers. You may want to reinstall the printer drivers. Check for updated drivers.


----------



## cubz (Mar 24, 2004)

ok thanks! - removed the file from HJT and restarted.. will do the updates and prep for SP2 and let you know how I make out.. thank you very much for all your help!


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! 

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## cubz (Mar 24, 2004)

How long does the restore point last ,that if needed I can go back to it? After I set the restore point, should I turn system restore off? Oh and what about the RC, should I just leave it the way it is setup now? Is RC similar to system restore in that it will reset everything if I have a problem or is it for something else?


----------



## Flrman1 (Jul 26, 2002)

You have to leave system restore on. Eventually the restore point will be gone. It's a good Idea to create new restore points at times like before you make major changes just in case. 

RC is not like system restore, but it can be used to do recoveries using command lines. I'd leave it.


----------



## cubz (Mar 24, 2004)

You are not going to believe this- check out this new HJT log! And the Firewall was on... I can't catch a break...and no one is home to kill ..
Logfile of HijackThis v1.99.1
Scan saved at 6:54:58 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\System32\scrsvc.exe
C:\WINDOWS\System32\bootpd.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\bootpd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Rich\LOCALS~1\Temp\zifyfufmdqf.dll (file missing)
O2 - BHO: ActiveX Control - {C28678EC-D1DA-4A3F-AB87-ECAEE8C017EE} - C:\WINDOWS\System32\mskpt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm

O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Rich\LOCALS~1\Temp\zifyfufmdqf.dll (file missing)

O2 - BHO: ActiveX Control - {C28678EC-D1DA-4A3F-AB87-ECAEE8C017EE} - C:\WINDOWS\System32\mskpt.dll (file missing)

O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe

O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe*

Restart to safe mode.

*How to start your computer in safe mode*

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\*scrsvc.exe*
C:\WINDOWS\System32\*bootpd.exe*

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Boot back to Windows normally.

Go here and do an online virus scan.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.


----------



## cubz (Mar 24, 2004)

doing it now.. thanks.. I didn't want to go thru and start deleteing before asking you.


----------



## cubz (Mar 24, 2004)

did all- new HJT: looks good?
Logfile of HijackThis v1.99.1
Scan saved at 9:45:58 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Clean! :up:


----------



## cubz (Mar 24, 2004)

Could you please just ck this log- it's from another login- and when I tried to use that one- opening IE was slow and then failed to load page- then it worked..it just seems slower than mine...
I attached it instead of copying it ...


----------



## Flrman1 (Jul 26, 2002)

Logfile of HijackThis v1.99.1
Scan saved at 8:25:23 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\RunOnce: [mptsgsvc.exe] mptsgsvc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Fix these:

*O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)

O4 - HKLM\..\RunOnce: [mptsgsvc.exe] mptsgsvc.exe*

Boot to safe mode and delete this file:

*mptsgsvc.exe*


----------



## cubz (Mar 24, 2004)

hi - I went to do what you said and the entries are gone..here is the HJT..something else is up though- when I looked in the IE favorites it had those gambling and porn links again..where are they coming from? and why are they still getting thru?
Logfile of HijackThis v1.99.1
Scan saved at 9:23:29 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Go *here* and download Microsoft Antispyware Beta. First in the top menu click *File* then *Check for updates* to download the definitons updates.

After updating look in the right side of the main window under "Run Quick Scan Now" and click *Spyware scan options*. In that window put a tick by *Run a full system scan* and then put a check by all three options below that then click *Run Scan now*.

When the scan is finished, let it fix anything that it finds. Have it quarantine the items that have that option rather than delete just in case.

*Restart your computer*.

Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## cubz (Mar 24, 2004)

HI sorry it has taken me so long to get back to you...Really busy at work working late and weekends were a mess..I tried to run the Panda active scan but it will not run...I tried 3 seperate occasions and it just hangs- once I receive an error that there was a problem ... no details as to why though..anything else I should try instead?


----------



## Flrman1 (Jul 26, 2002)

Try this one:

Go here and do an online virus scan.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.


----------



## cubz (Mar 24, 2004)

ok - that should work... would you know why the PC does not make any noise any more- it just humms. usually there was some kind of noise when booting up..


----------



## Flrman1 (Jul 26, 2002)

Also update your virus definitons and run a full systen scan on all user profiles.


----------



## cubz (Mar 24, 2004)

ok will do today and let you know


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## cubz (Mar 24, 2004)

I did all and all seem to be ok now. The pc still doesn't make any noise other than the humming. I also updated windows but not to SP2, I selected the other that said XP updates- not SP2. After it rebooted I was not able to do anything. Could not get to system restore, could not look at the system icon in the control panel, could not get to IE, the Antivirus and firewall did not start. Very frustrating. So I started and used last none good config. I then ran the antivirus and tren micro one and didn't find anything. Should I make a restore point again now? Why would that happen to windows if I didn't update to SP2? This is so very frustrating..I really do appreciate all your help with this. I copied one of the HJT log's so you could see if anything is still wrong..
Logfile of HijackThis v1.99.1
Scan saved at 8:52:30 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iesetupdll] bnui.exe
O4 - HKCU\..\Run: [XTermInit] MsNetHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKCU\..\Run: [iesetupdll] bnui.exe

O4 - HKCU\..\Run: [XTermInit] MsNetHelper.exe*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\bnui.exe

C:\WINDOWS\System32\bnui.exe

C:\WINDOWS\MsNetHelper.exe

C:\WINDOWS\System32\MsNetHelper.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.


----------



## Flrman1 (Jul 26, 2002)

Killbox creates backups of the files it removes in a C:\!Submit folder. Go to the forum *here* and upload the files found in the C:\!Submit folder.

Here are the directions for uploading the files:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.

Also I am attaching a log.zip file to this post. Download it and unzip it to your desktop. Doubleclick on the log.bat file to run it. It will produce a C:\Log.txt file. Upload that log to the other forum along with the files from the !Submit folder. It will be too large to upload here.


----------



## cubz (Mar 24, 2004)

will try to get it done tonight if not tomorrow after work...


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## cubz (Mar 24, 2004)

ok tried it -when tried to get on pc same issues- was not able to do anything.. so had to boot up with last known config and was able to log onto one of the id's. So then I tried whatr you said & the only thing that worked was deleted the entries in HJT. The files came up as 
"not found" and when ccleaner ran and completed I looked for the folder- I could not find it. Sooo here is the latest HJT from the same id as last entry.: 
What next? 
Logfile of HijackThis v1.99.1
Scan saved at 8:58:03 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Did you do this?:


flrman1 said:


> Also I am attaching a log.zip file to this post. Download it and unzip it to your desktop. Doubleclick on the log.bat file to run it. It will produce a C:\Log.txt file. Upload that log to the other forum along with the files from the !Submit folder. It will be too large to upload here.


----------



## cubz (Mar 24, 2004)

Just did the last request. I posted the log.txt(uploaded). But since I could not find the C:\!Submit folder-not found- I did not attach that information. Is there anything else I need to do now? Hope I did right...


----------



## Flrman1 (Jul 26, 2002)

You didn't upload the log.txt file either. Please try again.


----------



## cubz (Mar 24, 2004)

I attached the log to the other forum and this time checked to make sure it was there. 
I also ran Killbox again and it did not find the fileslithat you said to delete. It did not create !Submit file as there were no files deleted( this was the message I received when I tried to open the !Submit folder under Tools-open -!Submit folder.) So I do not have that log.
I ran the CCleaner and I am attaching the log- don't know if that will be of any help. 
Is there anything else you need me to do?


----------



## Flrman1 (Jul 26, 2002)

I found this whole list of suspicious files in the C:\Windows\System32 folder:

*cithlper.exe
djpesejdj3b7p.dll
fixdisk32.exe
sprmove.exe
hdbch.dll
hddwt.dll
hdfeb.dll
hdhcw.dll
hdiuo.dll
hdlot.dll
hdnvo.dll
hdqhe.dll
hdqmv.dll
hdspe.dll
hdtli.dll
hduxd.dll
hdvrt.dll
hdxwe.dll*

Before we do anything else, please go back to the Spykiller forum and upload all of those files.


----------



## cubz (Mar 24, 2004)

I uploaded the logs..anything else needed?


----------



## Flrman1 (Jul 26, 2002)

You didn't upload what I asked for. This is what I asked you to upload:


flrman1 said:


> I found this whole list of suspicious files in the C:\Windows\System32 folder:
> 
> *cithlper.exe
> djpesejdj3b7p.dll
> ...


You need to go to the SpyKiller forum, browse to each of those files in the System32 folder and upload them.


----------



## cubz (Mar 24, 2004)

I am sorry about that- I miss understood- didn't read it through.. I uploaded all the files/dll's from the sys32 folder... Anything else?


----------



## Flrman1 (Jul 26, 2002)

Now please go ahead and post a new Hijack This log.


----------



## cubz (Mar 24, 2004)

Ok here the HJT log....
anything else?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:26 AM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Restart into safe mode.

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\Windows\System32\cithlper.exe
C:\Windows\System32\djpesejdj3b7p.dll
C:\Windows\System32\fixdisk32.exe
C:\Windows\System32\sprmove.exe
C:\Windows\System32\hdbch.dll
C:\Windows\System32\hddwt.dll
C:\Windows\System32\hdfeb.dll
C:\Windows\System32\hdhcw.dll
C:\Windows\System32\hdiuo.dll
C:\Windows\System32\hdlot.dll
C:\Windows\System32\hdnvo.dll
C:\Windows\System32\hdqhe.dll
C:\Windows\System32\hdqmv.dll
C:\Windows\System32\hdspe.dll
C:\Windows\System32\hdtli.dll
C:\Windows\System32\hduxd.dll
C:\Windows\System32\hdvrt.dll
C:\Windows\System32\hdxwe.dll*


----------



## cubz (Mar 24, 2004)

Did it. All found and said deleted. What's next? 
Also, I keep receiving an error that it cannot find HPHipmon9 driver for the printer but then it printers. I tried reinstalling but it does not comlete and no errors..Oh and when IE opens the home page is set to yahoo.com- but it opens with www.yahoo.com\ and firewall says the it prevented the homepage from being changed from yahoo.com to yahoo.com\.. is this something to be concerned with? 
The new HJT in case you needed it:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:59 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HIGHJACKTHIS\HijackThis.exe

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

The log looks fine and it shows HPHipm09.exe in the running processes. When do you get the error?


----------



## cubz (Mar 24, 2004)

I get the error when trying to print- select print from the file menu- or use the printer icon- It will give me the message but then start to print. I tried to reinstall the printer but it never completes- but it will still print...very strange.. Is the yahoo url an issue?


----------



## Flrman1 (Jul 26, 2002)

Did you uninstall then reinstall the drivers?


----------



## cubz (Mar 24, 2004)

yes - did the reinstall..should I try it again?


----------



## Flrman1 (Jul 26, 2002)

Did you uninstall the old first?


----------



## cubz (Mar 24, 2004)

No I didn't- it over wrote it..I'll do the uninsttall and re-install it and let you know what happens tomorrow.. Anything else I should do?


----------



## Flrman1 (Jul 26, 2002)

As far as i can tell everything else is OK.


----------



## cubz (Mar 24, 2004)

hi again- sorry haven't responded sooner- have been sick- I uninstalled and re-installed with the xp drivers from the HP site.. Installs fine but then has same message when printed a test page, then prints it.. So far it works and everything else seems to be ok...


----------



## Flrman1 (Jul 26, 2002)

I honestly don't know what's up with the error. Maybe contact HP and see if they know.


----------



## cubz (Mar 24, 2004)

Thank you very much for all your help!!


----------



## Flrman1 (Jul 26, 2002)

You're very welcome!  I hope you can manage to keep it clean this time.

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

