# Smart Security, HELP!!!



## mzmaxey (Mar 21, 2004)

Help! This thing has taken over. I've read some previous threads and cannot apply the same fixes. Here is my Hijackthis Log:

Logfile of HijackThis v1.98.2
Scan saved at 10:50:51 PM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\Gtf.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user1\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Mqs] C:\WINDOWS\Gtf.exe
O4 - HKLM\..\Run: [Tqu] C:\WINDOWS\System32\Qmr.exe
O4 - HKLM\..\Run: [Ugk] C:\WINDOWS\Ipt.exe
O4 - HKLM\..\Run: [Ehk] C:\WINDOWS\Fvi.exe
O4 - HKLM\..\Run: [Jvg] C:\WINDOWS\Aku.exe
O4 - HKLM\..\Run: [Nns] C:\WINDOWS\System32\Fnc.exe
O4 - HKLM\..\Run: [Omd] C:\WINDOWS\System32\Ffp.exe
O4 - HKLM\..\Run: [Cts] C:\WINDOWS\Mjf.exe
O4 - HKLM\..\Run: [Bka] C:\WINDOWS\Pue.exe
O4 - HKLM\..\Run: [Vak] C:\WINDOWS\Uoo.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\Qjn.exe
O4 - HKLM\..\Run: [Kul] C:\WINDOWS\Qrs.exe
O4 - HKLM\..\Run: [Qkg] C:\WINDOWS\System32\Mrp.exe
O4 - HKLM\..\Run: [Pjo] C:\WINDOWS\System32\Tvp.exe
O4 - HKLM\..\Run: [Ksj] C:\WINDOWS\System32\Dcs.exe
O4 - HKLM\..\Run: [Pbp] C:\WINDOWS\Hht.exe
O4 - HKLM\..\Run: [Mdi] C:\WINDOWS\System32\Qic.exe
O4 - HKLM\..\Run: [Apk] C:\WINDOWS\System32\Cii.exe
O4 - HKLM\..\Run: [Smh] C:\WINDOWS\Vii.exe
O4 - HKLM\..\Run: [Ich] C:\WINDOWS\System32\Crh.exe
O4 - HKLM\..\Run: [Elu] C:\WINDOWS\Jhh.exe
O4 - HKLM\..\Run: [Blk] C:\WINDOWS\Muc.exe
O4 - HKLM\..\Run: [Gkj] C:\WINDOWS\Ori.exe
O4 - HKLM\..\Run: [Bld] C:\WINDOWS\System32\Cjt.exe
O4 - HKLM\..\Run: [Okd] C:\WINDOWS\System32\Qhc.exe
O4 - HKLM\..\Run: [Uag] C:\WINDOWS\Nfl.exe
O4 - HKLM\..\Run: [Jru] C:\WINDOWS\Eek.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Jhl] C:\WINDOWS\Vbd.exe
O4 - HKLM\..\Run: [Gcr] C:\WINDOWS\System32\Bjg.exe
O4 - HKLM\..\Run: [Ibr] C:\WINDOWS\System32\Fdg.exe
O4 - HKLM\..\Run: [Dlj] C:\WINDOWS\Ltu.exe
O4 - HKLM\..\Run: [Aee] C:\WINDOWS\Ufb.exe
O4 - HKLM\..\Run: [Haa] C:\WINDOWS\System32\Gtd.exe
O4 - HKLM\..\Run: [Vml] C:\WINDOWS\Ijb.exe
O4 - HKLM\..\Run: [Dln] C:\WINDOWS\Bil.exe
O4 - HKLM\..\Run: [Hmh] C:\WINDOWS\Shk.exe
O4 - HKLM\..\Run: [Ort] C:\WINDOWS\System32\Uag.exe
O4 - HKLM\..\Run: [Fdd] C:\WINDOWS\System32\Mrn.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\System32\Ofl.exe
O4 - HKLM\..\Run: [Ibt] C:\WINDOWS\Dgm.exe
O4 - HKLM\..\Run: [Opm] C:\WINDOWS\Hkg.exe
O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Tfq.exe
O4 - HKLM\..\Run: [Las] C:\WINDOWS\System32\Euc.exe
O4 - HKLM\..\Run: [Soe] C:\WINDOWS\Sfh.exe
O4 - HKLM\..\Run: [Big] C:\WINDOWS\Sgo.exe
O4 - HKLM\..\Run: [Tuh] C:\WINDOWS\Ilc.exe
O4 - HKLM\..\Run: [Hsa] C:\WINDOWS\System32\Kdd.exe
O4 - HKLM\..\Run: [Eii] C:\WINDOWS\System32\Efc.exe
O4 - HKLM\..\Run: [Hjj] C:\WINDOWS\System32\Bjv.exe
O4 - HKLM\..\Run: [Qdb] C:\WINDOWS\System32\Pqt.exe
O4 - HKLM\..\Run: [Gul] C:\WINDOWS\Gag.exe
O4 - HKLM\..\Run: [Vrq] C:\WINDOWS\System32\Cmr.exe
O4 - HKLM\..\Run: [Lvb] C:\WINDOWS\System32\Kur.exe
O4 - HKLM\..\Run: [Fnc] C:\WINDOWS\Vkr.exe
O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\System32\Vis.exe
O4 - HKLM\..\Run: [Kfg] C:\WINDOWS\Qlo.exe
O4 - HKLM\..\Run: [Apb] C:\WINDOWS\System32\Aqt.exe
O4 - HKLM\..\Run: [Vas] C:\WINDOWS\System32\Voc.exe
O4 - HKLM\..\Run: [Qvu] C:\WINDOWS\Lst.exe
O4 - HKLM\..\Run: [Bkr] C:\WINDOWS\System32\Mji.exe
O4 - HKLM\..\Run: [Ulk] C:\WINDOWS\Fvv.exe
O4 - HKLM\..\Run: [Bdk] C:\WINDOWS\System32\Ofg.exe
O4 - HKLM\..\Run: [Lco] C:\WINDOWS\System32\Dmc.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Sjg.exe
O4 - HKLM\..\Run: [Nuq] C:\WINDOWS\Hgr.exe
O4 - HKLM\..\Run: [Tgl] C:\WINDOWS\System32\Fgh.exe
O4 - HKLM\..\Run: [Bst] C:\WINDOWS\System32\Dit.exe
O4 - HKLM\..\Run: [Rlp] C:\WINDOWS\Jke.exe
O4 - HKLM\..\Run: [Nie] C:\WINDOWS\Vld.exe
O4 - HKLM\..\Run: [Occ] C:\WINDOWS\Iip.exe
O4 - HKLM\..\Run: [Rgr] C:\WINDOWS\System32\Iji.exe
O4 - HKLM\..\Run: [Csg] C:\WINDOWS\System32\Uhg.exe
O4 - HKLM\..\Run: [Sno] C:\WINDOWS\Mjj.exe
O4 - HKLM\..\Run: [Cpd] C:\WINDOWS\System32\Mti.exe
O4 - HKLM\..\Run: [Pme] C:\WINDOWS\System32\Lcn.exe
O4 - HKLM\..\Run: [Csp] C:\WINDOWS\Fqa.exe
O4 - HKLM\..\Run: [Cqc] C:\WINDOWS\Gbu.exe
O4 - HKLM\..\Run: [Asm] C:\WINDOWS\System32\Qfp.exe
O4 - HKLM\..\Run: [Jqa] C:\WINDOWS\System32\Ijs.exe
O4 - HKLM\..\Run: [Jev] C:\WINDOWS\Glf.exe
O4 - HKLM\..\Run: [Oug] C:\WINDOWS\System32\Mrr.exe
O4 - HKLM\..\Run: [Gsj] C:\WINDOWS\Dua.exe
O4 - HKLM\..\Run: [Psm] C:\WINDOWS\System32\Tjc.exe
O4 - HKLM\..\Run: [Fgl] C:\WINDOWS\System32\Klm.exe
O4 - HKLM\..\Run: [Pgp] C:\WINDOWS\Rhk.exe
O4 - HKLM\..\Run: [Kph] C:\WINDOWS\Ptp.exe
O4 - HKLM\..\Run: [Fuo] C:\WINDOWS\System32\Ija.exe
O4 - HKLM\..\Run: [Bnl] C:\WINDOWS\System32\Cin.exe
O4 - HKLM\..\Run: [Fvt] C:\WINDOWS\System32\Vil.exe
O4 - HKLM\..\Run: [Sjf] C:\WINDOWS\System32\Lvr.exe
O4 - HKLM\..\Run: [Fvm] C:\WINDOWS\Fck.exe
O4 - HKLM\..\Run: [Iie] C:\WINDOWS\Opt.exe
O4 - HKLM\..\Run: [Pqb] C:\WINDOWS\Mup.exe
O4 - HKLM\..\Run: [Jra] C:\WINDOWS\System32\Dje.exe
O4 - HKLM\..\Run: [Unq] C:\WINDOWS\System32\Olg.exe
O4 - HKLM\..\Run: [Tec] C:\WINDOWS\System32\Trn.exe
O4 - HKLM\..\Run: [Cid] C:\WINDOWS\Jcg.exe
O4 - HKLM\..\Run: [Fdq] C:\WINDOWS\Tkd.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\System32\Mdn.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\System32\Gdl.exe
O4 - HKLM\..\Run: [Jlu] C:\WINDOWS\Mcr.exe
O4 - HKLM\..\Run: [Ele] C:\WINDOWS\Dpq.exe
O4 - HKLM\..\Run: [Ndo] C:\WINDOWS\Kks.exe
O4 - HKLM\..\Run: [Afg] C:\WINDOWS\Vau.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Mqs] C:\WINDOWS\Gtf.exe
O4 - HKCU\..\Run: [Tqu] C:\WINDOWS\System32\Qmr.exe
O4 - HKCU\..\Run: [Ugk] C:\WINDOWS\Ipt.exe
O4 - HKCU\..\Run: [Ehk] C:\WINDOWS\Fvi.exe
O4 - HKCU\..\Run: [Jvg] C:\WINDOWS\Aku.exe
O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Fnc.exe
O4 - HKCU\..\Run: [Omd] C:\WINDOWS\System32\Ffp.exe
O4 - HKCU\..\Run: [Cts] C:\WINDOWS\Mjf.exe
O4 - HKCU\..\Run: [Bka] C:\WINDOWS\Pue.exe
O4 - HKCU\..\Run: [Vak] C:\WINDOWS\Uoo.exe
O4 - HKCU\..\Run: [Cvn] C:\WINDOWS\Qjn.exe
O4 - HKCU\..\Run: [Kul] C:\WINDOWS\Qrs.exe
O4 - HKCU\..\Run: [Qkg] C:\WINDOWS\System32\Mrp.exe
O4 - HKCU\..\Run: [Pjo] C:\WINDOWS\System32\Tvp.exe
O4 - HKCU\..\Run: [Ksj] C:\WINDOWS\System32\Dcs.exe
O4 - HKCU\..\Run: [Pbp] C:\WINDOWS\Hht.exe
O4 - HKCU\..\Run: [Mdi] C:\WINDOWS\System32\Qic.exe
O4 - HKCU\..\Run: [Apk] C:\WINDOWS\System32\Cii.exe
O4 - HKCU\..\Run: [Smh] C:\WINDOWS\Vii.exe
O4 - HKCU\..\Run: [Ich] C:\WINDOWS\System32\Crh.exe
O4 - HKCU\..\Run: [Elu] C:\WINDOWS\Jhh.exe
O4 - HKCU\..\Run: [Blk] C:\WINDOWS\Muc.exe
O4 - HKCU\..\Run: [Gkj] C:\WINDOWS\Ori.exe
O4 - HKCU\..\Run: [Bld] C:\WINDOWS\System32\Cjt.exe
O4 - HKCU\..\Run: [Okd] C:\WINDOWS\System32\Qhc.exe
O4 - HKCU\..\Run: [Uag] C:\WINDOWS\Nfl.exe
O4 - HKCU\..\Run: [Jru] C:\WINDOWS\Eek.exe
O4 - HKCU\..\Run: [Cvh] C:\WINDOWS\Acb.exe
O4 - HKCU\..\Run: [Dbr] C:\WINDOWS\System32\Sin.exe
O4 - HKCU\..\Run: [Jhl] C:\WINDOWS\Vbd.exe
O4 - HKCU\..\Run: [Gcr] C:\WINDOWS\System32\Bjg.exe
O4 - HKCU\..\Run: [Ibr] C:\WINDOWS\System32\Fdg.exe
O4 - HKCU\..\Run: [Dlj] C:\WINDOWS\Ltu.exe
O4 - HKCU\..\Run: [Aee] C:\WINDOWS\Ufb.exe
O4 - HKCU\..\Run: [Haa] C:\WINDOWS\System32\Gtd.exe
O4 - HKCU\..\Run: [Vml] C:\WINDOWS\Ijb.exe
O4 - HKCU\..\Run: [Dln] C:\WINDOWS\Bil.exe
O4 - HKCU\..\Run: [Hmh] C:\WINDOWS\Shk.exe
O4 - HKCU\..\Run: [Ort] C:\WINDOWS\System32\Uag.exe
O4 - HKCU\..\Run: [Fdd] C:\WINDOWS\System32\Mrn.exe
O4 - HKCU\..\Run: [Pej] C:\WINDOWS\Lth.exe
O4 - HKCU\..\Run: [Pfp] C:\WINDOWS\System32\Rns.exe
O4 - HKCU\..\Run: [Dnu] C:\WINDOWS\System32\Ofl.exe
O4 - HKCU\..\Run: [Ibt] C:\WINDOWS\Dgm.exe
O4 - HKCU\..\Run: [Eol] C:\WINDOWS\System32\Cui.exe
O4 - HKCU\..\Run: [Opm] C:\WINDOWS\Hkg.exe
O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Tfq.exe
O4 - HKCU\..\Run: [Las] C:\WINDOWS\System32\Euc.exe
O4 - HKCU\..\Run: [Soe] C:\WINDOWS\Sfh.exe
O4 - HKCU\..\Run: [Big] C:\WINDOWS\Sgo.exe
O4 - HKCU\..\Run: [Tuh] C:\WINDOWS\Ilc.exe
O4 - HKCU\..\Run: [Hsa] C:\WINDOWS\System32\Kdd.exe
O4 - HKCU\..\Run: [Eii] C:\WINDOWS\System32\Efc.exe
O4 - HKCU\..\Run: [Hjj] C:\WINDOWS\System32\Bjv.exe
O4 - HKCU\..\Run: [Qdb] C:\WINDOWS\System32\Pqt.exe
O4 - HKCU\..\Run: [Gul] C:\WINDOWS\Gag.exe
O4 - HKCU\..\Run: [Vrq] C:\WINDOWS\System32\Cmr.exe
O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\System32\Kur.exe
O4 - HKCU\..\Run: [Fnc] C:\WINDOWS\Vkr.exe
O4 - HKCU\..\Run: [Gnt] C:\WINDOWS\System32\Vis.exe
O4 - HKCU\..\Run: [Kfg] C:\WINDOWS\Qlo.exe
O4 - HKCU\..\Run: [Apb] C:\WINDOWS\System32\Aqt.exe
O4 - HKCU\..\Run: [Vas] C:\WINDOWS\System32\Voc.exe
O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\Nnm.exe
O4 - HKCU\..\Run: [Qvu] C:\WINDOWS\Lst.exe
O4 - HKCU\..\Run: [Bkr] C:\WINDOWS\System32\Mji.exe
O4 - HKCU\..\Run: [Ulk] C:\WINDOWS\Fvv.exe
O4 - HKCU\..\Run: [Bdk] C:\WINDOWS\System32\Ofg.exe
O4 - HKCU\..\Run: [Lco] C:\WINDOWS\System32\Dmc.exe
O4 - HKCU\..\Run: [Vai] C:\WINDOWS\System32\Sjg.exe
O4 - HKCU\..\Run: [Nuq] C:\WINDOWS\Hgr.exe
O4 - HKCU\..\Run: [Tgl] C:\WINDOWS\System32\Fgh.exe
O4 - HKCU\..\Run: [Bst] C:\WINDOWS\System32\Dit.exe
O4 - HKCU\..\Run: [Rlp] C:\WINDOWS\Jke.exe
O4 - HKCU\..\Run: [Nie] C:\WINDOWS\Vld.exe
O4 - HKCU\..\Run: [Occ] C:\WINDOWS\Iip.exe
O4 - HKCU\..\Run: [Rgr] C:\WINDOWS\System32\Iji.exe
O4 - HKCU\..\Run: [Csg] C:\WINDOWS\System32\Uhg.exe
O4 - HKCU\..\Run: [Sno] C:\WINDOWS\Mjj.exe
O4 - HKCU\..\Run: [Cpd] C:\WINDOWS\System32\Mti.exe
O4 - HKCU\..\Run: [Pme] C:\WINDOWS\System32\Lcn.exe
O4 - HKCU\..\Run: [Csp] C:\WINDOWS\Fqa.exe
O4 - HKCU\..\Run: [Cqc] C:\WINDOWS\Gbu.exe
O4 - HKCU\..\Run: [Asm] C:\WINDOWS\System32\Qfp.exe
O4 - HKCU\..\Run: [Jqa] C:\WINDOWS\System32\Ijs.exe
O4 - HKCU\..\Run: [Jev] C:\WINDOWS\Glf.exe
O4 - HKCU\..\Run: [Oug] C:\WINDOWS\System32\Mrr.exe
O4 - HKCU\..\Run: [Gsj] C:\WINDOWS\Dua.exe
O4 - HKCU\..\Run: [Psm] C:\WINDOWS\System32\Tjc.exe
O4 - HKCU\..\Run: [Fgl] C:\WINDOWS\System32\Klm.exe
O4 - HKCU\..\Run: [Pgp] C:\WINDOWS\Rhk.exe
O4 - HKCU\..\Run: [Kph] C:\WINDOWS\Ptp.exe
O4 - HKCU\..\Run: [Fuo] C:\WINDOWS\System32\Ija.exe
O4 - HKCU\..\Run: [Bnl] C:\WINDOWS\System32\Cin.exe
O4 - HKCU\..\Run: [Fvt] C:\WINDOWS\System32\Vil.exe
O4 - HKCU\..\Run: [Sjf] C:\WINDOWS\System32\Lvr.exe
O4 - HKCU\..\Run: [Fvm] C:\WINDOWS\Fck.exe
O4 - HKCU\..\Run: [Iie] C:\WINDOWS\Opt.exe
O4 - HKCU\..\Run: [Pqb] C:\WINDOWS\Mup.exe
O4 - HKCU\..\Run: [Jra] C:\WINDOWS\System32\Dje.exe
O4 - HKCU\..\Run: [Unq] C:\WINDOWS\System32\Olg.exe
O4 - HKCU\..\Run: [Tec] C:\WINDOWS\System32\Trn.exe
O4 - HKCU\..\Run: [Cid] C:\WINDOWS\Jcg.exe
O4 - HKCU\..\Run: [Fdq] C:\WINDOWS\Tkd.exe
O4 - HKCU\..\Run: [Thm] C:\WINDOWS\System32\Mdn.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\System32\Gdl.exe
O4 - HKCU\..\Run: [Jlu] C:\WINDOWS\Mcr.exe
O4 - HKCU\..\Run: [Ele] C:\WINDOWS\Dpq.exe
O4 - HKCU\..\Run: [Ndo] C:\WINDOWS\Kks.exe
O4 - HKCU\..\Run: [Afg] C:\WINDOWS\Vau.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {126D9184-71E9-42D0-9DE5-DEA8508E6ABF} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O9 - Extra button: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebex-freetrial/webex/ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx


----------



## The_Egg (Sep 16, 2002)

Please upgrade to HijackThis v1.99.1 and post the new log asap

Use this self-extracting installer, which will install HJT to C:\Program Files\HijackThis\
http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

Please do NOT shutdown or reboot your pc until a fix has been provided, and you are told otherwise.

Whilst we're waiting, please go to:
Control Panel > Add/Remove Programs
and uninstall "Ares"

Ares-Lite is safe, but "Ares" (full version) comes bundled with spyware/adware/etc.

See here for a list of safe/unsafe p2p
http://www.spywareinfo.com/articles/p2p/
http://forums.winamp.com/showthread.php?threadid=64964


----------



## mzmaxey (Mar 21, 2004)

Thank you for the quick response :up: Unfortunately, this is something on my daughters machine at school and I was webexed with her trying to fix it. However, the schools disables their internet access a midnight and she had already shut the computer down. I had her turn it back on and told her to leave it on until I told her to shut it down. I

I will be able to get a new log tomorrow.

Thank you!


----------



## The_Egg (Sep 16, 2002)

No problem. We'll still be here.

I could try to supply a fix based on the 1.98.2 log, but I'm not so sure it would work, because this type of hijack will usually include entries that are only shown by the latest version of HJT - and we'll need to fix everything in one go to get rid of the problem, A partial fix is pointless if the hijack just comes straight back, possibly worse than before.

There's two distinct malware infections showing.
One is the Smart Security hijack (with all those random 3 letter .exe files)

and the other is the mitglied trojan, aka Troj/Lohav
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MITGLIED.BY&VSect=T
http://www.sophos.com/virusinfo/analyses/trojlohavp.html
http://www.sophos.com/virusinfo/analyses/trojlohavo.html

However, they are both related, ie. one was probably downloaded/installed by the other.

The mitglied trojan attempts to kill all processes belonging to any rival security programs (antivirus, firewall, antispyware, etc), and the Smart Security advert hopes to get you to install the Smart Security software to fix the problem.

I should be able to provide the full fix, as soon as I've seen the HJT v.1.99.1 log.

Now that the computer's been shutdown, it may as well have stayed shutdown until the new log can be posted, heh. Not to worry, we'll still fix it.

_____________________________


----------



## mzmaxey (Mar 21, 2004)

I was going to have my daughter download the new hijackThis and she can't get anything on the internet. Everything says page cannot be displayed.


HELP!!!


----------



## The_Egg (Sep 16, 2002)

Ok, we'll have to try to fix this the best we can based off the HJT v1.98.2 log.

Please could you post a new log here, just to make sure none of the filenames from the first log have morphed/changed.

In the meantime, I'll start preparing the fix...


----------



## mzmaxey (Mar 21, 2004)

She can't actually send the new log because she can't get onto the internet to email it to me. She is in MA and I'm in CA.


----------



## The_Egg (Sep 16, 2002)

Yeah, this was why I didn't want the computer to be shutdown or rebooted, heh.

Ok, let's try to fix this the best we can, based off the original HJT 1.98.2 log

Is there any way you can possibly get any files sent to your daughter?

Can she use another computer to download them, and then transfer the files to her computer?

There's a few free tools we need to use, especially Adaware SE, and one zip file that I'm attaching here.
The zip file includes a .bat and .reg file inside.
The .reg file will remove/fix all the relevant bad registry entries
and the .bat file will delete all the relevant bad files.

I'm including the .reg and .bat files in an attachment here, just incase you find a way to somehow get the file to your daughter. If you do find a way, then this would be the preferable optimum solution to all the problems.

Download the *cleanup.zip* file in my attachment

Your daughter will need to unzip the cleanup.reg and cleanup.bat files from the cleanup.zip attachment.
and place them in a convenient place such as the My Documents folder.

I will include the full details and instructions below....

If the attachment can't be used, then I will need to type out the manual removal instructions.
This will include manually deleting lots of files
and manually editing some registry keys.
You will need to _walk_ your daughter through the exact steps to make sure she only modifies the specified registry keys/strings, and no others. I will do my best to type out the instructions as clearly as possible, so that they are easy enough to understand.

_____________________________________________

Firstly, you MUST get your daughter to unzip HijackThis.exe

Right click on the hijackthis.zip file, select "Extract All"
Then use the Extraction Wizard to extract HijackThis.exe to a permanent folder,
eg. C:\Program Files\HijackThis\HijackThis.exe

__________________________________________________

Open HJT

Close all other programs/windows (including: Messenger Plus, Windows Media Player, webshots, RealPlayer, Internet Explorer, and any windows explorer folders, etc)

In HJT, click "open the misc tools section"
Then click "open process manager"
(or from the Scan window, click "Config" button, then "Misc Tools", then "open process manager")

Hi-lite the following entry
and click "Kill process":
*C:\WINDOWS\Gtf.exe*

If that file (Gtf.exe) isn't listed, then look for a similarly named file.
It will be three letters long, and the first letter will be a capital.

If "C:\WINDOWS\System32\WINDLLSYS32.exe" is listed, then also Kill that process.

Next, click the "Back" button in the bottom right corner to return to the Scan screen.

Run the HJT Scan

These are the entries from the first log which need fixing with HJT

Place a checkmark next to the following entries ONLY, and click "Fix checked"

*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Mqs] C:\WINDOWS\Gtf.exe

O4 - HKLM\..\Run: [Tqu] C:\WINDOWS\System32\Qmr.exe

O4 - HKLM\..\Run: [Ugk] C:\WINDOWS\Ipt.exe

O4 - HKLM\..\Run: [Ehk] C:\WINDOWS\Fvi.exe

O4 - HKLM\..\Run: [Jvg] C:\WINDOWS\Aku.exe

O4 - HKLM\..\Run: [Nns] C:\WINDOWS\System32\Fnc.exe

O4 - HKLM\..\Run: [Omd] C:\WINDOWS\System32\Ffp.exe

O4 - HKLM\..\Run: [Cts] C:\WINDOWS\Mjf.exe

O4 - HKLM\..\Run: [Bka] C:\WINDOWS\Pue.exe

O4 - HKLM\..\Run: [Vak] C:\WINDOWS\Uoo.exe

O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\Qjn.exe

O4 - HKLM\..\Run: [Kul] C:\WINDOWS\Qrs.exe

O4 - HKLM\..\Run: [Qkg] C:\WINDOWS\System32\Mrp.exe

O4 - HKLM\..\Run: [Pjo] C:\WINDOWS\System32\Tvp.exe

O4 - HKLM\..\Run: [Ksj] C:\WINDOWS\System32\Dcs.exe

O4 - HKLM\..\Run: [Pbp] C:\WINDOWS\Hht.exe

O4 - HKLM\..\Run: [Mdi] C:\WINDOWS\System32\Qic.exe

O4 - HKLM\..\Run: [Apk] C:\WINDOWS\System32\Cii.exe

O4 - HKLM\..\Run: [Smh] C:\WINDOWS\Vii.exe

O4 - HKLM\..\Run: [Ich] C:\WINDOWS\System32\Crh.exe

O4 - HKLM\..\Run: [Elu] C:\WINDOWS\Jhh.exe

O4 - HKLM\..\Run: [Blk] C:\WINDOWS\Muc.exe

O4 - HKLM\..\Run: [Gkj] C:\WINDOWS\Ori.exe

O4 - HKLM\..\Run: [Bld] C:\WINDOWS\System32\Cjt.exe

O4 - HKLM\..\Run: [Okd] C:\WINDOWS\System32\Qhc.exe

O4 - HKLM\..\Run: [Uag] C:\WINDOWS\Nfl.exe

O4 - HKLM\..\Run: [Jru] C:\WINDOWS\Eek.exe

O4 - HKLM\..\Run: [Jhl] C:\WINDOWS\Vbd.exe

O4 - HKLM\..\Run: [Gcr] C:\WINDOWS\System32\Bjg.exe

O4 - HKLM\..\Run: [Ibr] C:\WINDOWS\System32\Fdg.exe

O4 - HKLM\..\Run: [Dlj] C:\WINDOWS\Ltu.exe

O4 - HKLM\..\Run: [Aee] C:\WINDOWS\Ufb.exe

O4 - HKLM\..\Run: [Haa] C:\WINDOWS\System32\Gtd.exe

O4 - HKLM\..\Run: [Vml] C:\WINDOWS\Ijb.exe

O4 - HKLM\..\Run: [Dln] C:\WINDOWS\Bil.exe

O4 - HKLM\..\Run: [Hmh] C:\WINDOWS\Shk.exe

O4 - HKLM\..\Run: [Ort] C:\WINDOWS\System32\Uag.exe

O4 - HKLM\..\Run: [Fdd] C:\WINDOWS\System32\Mrn.exe

O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\System32\Ofl.exe

O4 - HKLM\..\Run: [Ibt] C:\WINDOWS\Dgm.exe

O4 - HKLM\..\Run: [Opm] C:\WINDOWS\Hkg.exe

O4 - HKLM\..\Run: [Jok] C:\WINDOWS\System32\Tfq.exe

O4 - HKLM\..\Run: [Las] C:\WINDOWS\System32\Euc.exe

O4 - HKLM\..\Run: [Soe] C:\WINDOWS\Sfh.exe

O4 - HKLM\..\Run: [Big] C:\WINDOWS\Sgo.exe

O4 - HKLM\..\Run: [Tuh] C:\WINDOWS\Ilc.exe

O4 - HKLM\..\Run: [Hsa] C:\WINDOWS\System32\Kdd.exe

O4 - HKLM\..\Run: [Eii] C:\WINDOWS\System32\Efc.exe

O4 - HKLM\..\Run: [Hjj] C:\WINDOWS\System32\Bjv.exe

O4 - HKLM\..\Run: [Qdb] C:\WINDOWS\System32\Pqt.exe

O4 - HKLM\..\Run: [Gul] C:\WINDOWS\Gag.exe

O4 - HKLM\..\Run: [Vrq] C:\WINDOWS\System32\Cmr.exe

O4 - HKLM\..\Run: [Lvb] C:\WINDOWS\System32\Kur.exe

O4 - HKLM\..\Run: [Fnc] C:\WINDOWS\Vkr.exe

O4 - HKLM\..\Run: [Gnt] C:\WINDOWS\System32\Vis.exe

O4 - HKLM\..\Run: [Kfg] C:\WINDOWS\Qlo.exe

O4 - HKLM\..\Run: [Apb] C:\WINDOWS\System32\Aqt.exe

O4 - HKLM\..\Run: [Vas] C:\WINDOWS\System32\Voc.exe

O4 - HKLM\..\Run: [Qvu] C:\WINDOWS\Lst.exe

O4 - HKLM\..\Run: [Bkr] C:\WINDOWS\System32\Mji.exe

O4 - HKLM\..\Run: [Ulk] C:\WINDOWS\Fvv.exe

O4 - HKLM\..\Run: [Bdk] C:\WINDOWS\System32\Ofg.exe

O4 - HKLM\..\Run: [Lco] C:\WINDOWS\System32\Dmc.exe

O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Sjg.exe

O4 - HKLM\..\Run: [Nuq] C:\WINDOWS\Hgr.exe

O4 - HKLM\..\Run: [Tgl] C:\WINDOWS\System32\Fgh.exe

O4 - HKLM\..\Run: [Bst] C:\WINDOWS\System32\Dit.exe

O4 - HKLM\..\Run: [Rlp] C:\WINDOWS\Jke.exe

O4 - HKLM\..\Run: [Nie] C:\WINDOWS\Vld.exe

O4 - HKLM\..\Run: [Occ] C:\WINDOWS\Iip.exe

O4 - HKLM\..\Run: [Rgr] C:\WINDOWS\System32\Iji.exe

O4 - HKLM\..\Run: [Csg] C:\WINDOWS\System32\Uhg.exe

O4 - HKLM\..\Run: [Sno] C:\WINDOWS\Mjj.exe

O4 - HKLM\..\Run: [Cpd] C:\WINDOWS\System32\Mti.exe

O4 - HKLM\..\Run: [Pme] C:\WINDOWS\System32\Lcn.exe

O4 - HKLM\..\Run: [Csp] C:\WINDOWS\Fqa.exe

O4 - HKLM\..\Run: [Cqc] C:\WINDOWS\Gbu.exe

O4 - HKLM\..\Run: [Asm] C:\WINDOWS\System32\Qfp.exe

O4 - HKLM\..\Run: [Jqa] C:\WINDOWS\System32\Ijs.exe

O4 - HKLM\..\Run: [Jev] C:\WINDOWS\Glf.exe

O4 - HKLM\..\Run: [Oug] C:\WINDOWS\System32\Mrr.exe

O4 - HKLM\..\Run: [Gsj] C:\WINDOWS\Dua.exe

O4 - HKLM\..\Run: [Psm] C:\WINDOWS\System32\Tjc.exe

O4 - HKLM\..\Run: [Fgl] C:\WINDOWS\System32\Klm.exe

O4 - HKLM\..\Run: [Pgp] C:\WINDOWS\Rhk.exe

O4 - HKLM\..\Run: [Kph] C:\WINDOWS\Ptp.exe

O4 - HKLM\..\Run: [Fuo] C:\WINDOWS\System32\Ija.exe

O4 - HKLM\..\Run: [Bnl] C:\WINDOWS\System32\Cin.exe

O4 - HKLM\..\Run: [Fvt] C:\WINDOWS\System32\Vil.exe

O4 - HKLM\..\Run: [Sjf] C:\WINDOWS\System32\Lvr.exe

O4 - HKLM\..\Run: [Fvm] C:\WINDOWS\Fck.exe

O4 - HKLM\..\Run: [Iie] C:\WINDOWS\Opt.exe

O4 - HKLM\..\Run: [Pqb] C:\WINDOWS\Mup.exe

O4 - HKLM\..\Run: [Jra] C:\WINDOWS\System32\Dje.exe

O4 - HKLM\..\Run: [Unq] C:\WINDOWS\System32\Olg.exe

O4 - HKLM\..\Run: [Tec] C:\WINDOWS\System32\Trn.exe

O4 - HKLM\..\Run: [Cid] C:\WINDOWS\Jcg.exe

O4 - HKLM\..\Run: [Fdq] C:\WINDOWS\Tkd.exe

O4 - HKLM\..\Run: [Thm] C:\WINDOWS\System32\Mdn.exe

O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\System32\Gdl.exe

O4 - HKLM\..\Run: [Jlu] C:\WINDOWS\Mcr.exe

O4 - HKLM\..\Run: [Ele] C:\WINDOWS\Dpq.exe

O4 - HKLM\..\Run: [Ndo] C:\WINDOWS\Kks.exe

O4 - HKLM\..\Run: [Afg] C:\WINDOWS\Vau.exe

O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [Mqs] C:\WINDOWS\Gtf.exe

O4 - HKCU\..\Run: [Tqu] C:\WINDOWS\System32\Qmr.exe

O4 - HKCU\..\Run: [Ugk] C:\WINDOWS\Ipt.exe

O4 - HKCU\..\Run: [Ehk] C:\WINDOWS\Fvi.exe

O4 - HKCU\..\Run: [Jvg] C:\WINDOWS\Aku.exe

O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Fnc.exe

O4 - HKCU\..\Run: [Omd] C:\WINDOWS\System32\Ffp.exe

O4 - HKCU\..\Run: [Cts] C:\WINDOWS\Mjf.exe

O4 - HKCU\..\Run: [Bka] C:\WINDOWS\Pue.exe

O4 - HKCU\..\Run: [Vak] C:\WINDOWS\Uoo.exe

O4 - HKCU\..\Run: [Cvn] C:\WINDOWS\Qjn.exe

O4 - HKCU\..\Run: [Kul] C:\WINDOWS\Qrs.exe

O4 - HKCU\..\Run: [Qkg] C:\WINDOWS\System32\Mrp.exe

O4 - HKCU\..\Run: [Pjo] C:\WINDOWS\System32\Tvp.exe

O4 - HKCU\..\Run: [Ksj] C:\WINDOWS\System32\Dcs.exe

O4 - HKCU\..\Run: [Pbp] C:\WINDOWS\Hht.exe

O4 - HKCU\..\Run: [Mdi] C:\WINDOWS\System32\Qic.exe

O4 - HKCU\..\Run: [Apk] C:\WINDOWS\System32\Cii.exe

O4 - HKCU\..\Run: [Smh] C:\WINDOWS\Vii.exe

O4 - HKCU\..\Run: [Ich] C:\WINDOWS\System32\Crh.exe

O4 - HKCU\..\Run: [Elu] C:\WINDOWS\Jhh.exe

O4 - HKCU\..\Run: [Blk] C:\WINDOWS\Muc.exe

O4 - HKCU\..\Run: [Gkj] C:\WINDOWS\Ori.exe

O4 - HKCU\..\Run: [Bld] C:\WINDOWS\System32\Cjt.exe

O4 - HKCU\..\Run: [Okd] C:\WINDOWS\System32\Qhc.exe

O4 - HKCU\..\Run: [Uag] C:\WINDOWS\Nfl.exe

O4 - HKCU\..\Run: [Jru] C:\WINDOWS\Eek.exe

O4 - HKCU\..\Run: [Cvh] C:\WINDOWS\Acb.exe

O4 - HKCU\..\Run: [Dbr] C:\WINDOWS\System32\Sin.exe

O4 - HKCU\..\Run: [Jhl] C:\WINDOWS\Vbd.exe

O4 - HKCU\..\Run: [Gcr] C:\WINDOWS\System32\Bjg.exe

O4 - HKCU\..\Run: [Ibr] C:\WINDOWS\System32\Fdg.exe

O4 - HKCU\..\Run: [Dlj] C:\WINDOWS\Ltu.exe

O4 - HKCU\..\Run: [Aee] C:\WINDOWS\Ufb.exe

O4 - HKCU\..\Run: [Haa] C:\WINDOWS\System32\Gtd.exe

O4 - HKCU\..\Run: [Vml] C:\WINDOWS\Ijb.exe

O4 - HKCU\..\Run: [Dln] C:\WINDOWS\Bil.exe

O4 - HKCU\..\Run: [Hmh] C:\WINDOWS\Shk.exe

O4 - HKCU\..\Run: [Ort] C:\WINDOWS\System32\Uag.exe

O4 - HKCU\..\Run: [Fdd] C:\WINDOWS\System32\Mrn.exe

O4 - HKCU\..\Run: [Pej] C:\WINDOWS\Lth.exe

O4 - HKCU\..\Run: [Pfp] C:\WINDOWS\System32\Rns.exe

O4 - HKCU\..\Run: [Dnu] C:\WINDOWS\System32\Ofl.exe

O4 - HKCU\..\Run: [Ibt] C:\WINDOWS\Dgm.exe

O4 - HKCU\..\Run: [Eol] C:\WINDOWS\System32\Cui.exe

O4 - HKCU\..\Run: [Opm] C:\WINDOWS\Hkg.exe

O4 - HKCU\..\Run: [Jok] C:\WINDOWS\System32\Tfq.exe

O4 - HKCU\..\Run: [Las] C:\WINDOWS\System32\Euc.exe

O4 - HKCU\..\Run: [Soe] C:\WINDOWS\Sfh.exe

O4 - HKCU\..\Run: [Big] C:\WINDOWS\Sgo.exe

O4 - HKCU\..\Run: [Tuh] C:\WINDOWS\Ilc.exe

O4 - HKCU\..\Run: [Hsa] C:\WINDOWS\System32\Kdd.exe

O4 - HKCU\..\Run: [Eii] C:\WINDOWS\System32\Efc.exe

O4 - HKCU\..\Run: [Hjj] C:\WINDOWS\System32\Bjv.exe

O4 - HKCU\..\Run: [Qdb] C:\WINDOWS\System32\Pqt.exe

O4 - HKCU\..\Run: [Gul] C:\WINDOWS\Gag.exe

O4 - HKCU\..\Run: [Vrq] C:\WINDOWS\System32\Cmr.exe

O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\System32\Kur.exe

O4 - HKCU\..\Run: [Fnc] C:\WINDOWS\Vkr.exe

O4 - HKCU\..\Run: [Gnt] C:\WINDOWS\System32\Vis.exe

O4 - HKCU\..\Run: [Kfg] C:\WINDOWS\Qlo.exe

O4 - HKCU\..\Run: [Apb] C:\WINDOWS\System32\Aqt.exe

O4 - HKCU\..\Run: [Vas] C:\WINDOWS\System32\Voc.exe

O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\Nnm.exe

O4 - HKCU\..\Run: [Qvu] C:\WINDOWS\Lst.exe

O4 - HKCU\..\Run: [Bkr] C:\WINDOWS\System32\Mji.exe

O4 - HKCU\..\Run: [Ulk] C:\WINDOWS\Fvv.exe

O4 - HKCU\..\Run: [Bdk] C:\WINDOWS\System32\Ofg.exe

O4 - HKCU\..\Run: [Lco] C:\WINDOWS\System32\Dmc.exe

O4 - HKCU\..\Run: [Vai] C:\WINDOWS\System32\Sjg.exe

O4 - HKCU\..\Run: [Nuq] C:\WINDOWS\Hgr.exe

O4 - HKCU\..\Run: [Tgl] C:\WINDOWS\System32\Fgh.exe

O4 - HKCU\..\Run: [Bst] C:\WINDOWS\System32\Dit.exe

O4 - HKCU\..\Run: [Rlp] C:\WINDOWS\Jke.exe

O4 - HKCU\..\Run: [Nie] C:\WINDOWS\Vld.exe

O4 - HKCU\..\Run: [Occ] C:\WINDOWS\Iip.exe

O4 - HKCU\..\Run: [Rgr] C:\WINDOWS\System32\Iji.exe

O4 - HKCU\..\Run: [Csg] C:\WINDOWS\System32\Uhg.exe

O4 - HKCU\..\Run: [Sno] C:\WINDOWS\Mjj.exe

O4 - HKCU\..\Run: [Cpd] C:\WINDOWS\System32\Mti.exe

O4 - HKCU\..\Run: [Pme] C:\WINDOWS\System32\Lcn.exe

O4 - HKCU\..\Run: [Csp] C:\WINDOWS\Fqa.exe

O4 - HKCU\..\Run: [Cqc] C:\WINDOWS\Gbu.exe

O4 - HKCU\..\Run: [Asm] C:\WINDOWS\System32\Qfp.exe

O4 - HKCU\..\Run: [Jqa] C:\WINDOWS\System32\Ijs.exe

O4 - HKCU\..\Run: [Jev] C:\WINDOWS\Glf.exe

O4 - HKCU\..\Run: [Oug] C:\WINDOWS\System32\Mrr.exe

O4 - HKCU\..\Run: [Gsj] C:\WINDOWS\Dua.exe

O4 - HKCU\..\Run: [Psm] C:\WINDOWS\System32\Tjc.exe

O4 - HKCU\..\Run: [Fgl] C:\WINDOWS\System32\Klm.exe

O4 - HKCU\..\Run: [Pgp] C:\WINDOWS\Rhk.exe

O4 - HKCU\..\Run: [Kph] C:\WINDOWS\Ptp.exe

O4 - HKCU\..\Run: [Fuo] C:\WINDOWS\System32\Ija.exe

O4 - HKCU\..\Run: [Bnl] C:\WINDOWS\System32\Cin.exe

O4 - HKCU\..\Run: [Fvt] C:\WINDOWS\System32\Vil.exe

O4 - HKCU\..\Run: [Sjf] C:\WINDOWS\System32\Lvr.exe

O4 - HKCU\..\Run: [Fvm] C:\WINDOWS\Fck.exe

O4 - HKCU\..\Run: [Iie] C:\WINDOWS\Opt.exe

O4 - HKCU\..\Run: [Pqb] C:\WINDOWS\Mup.exe

O4 - HKCU\..\Run: [Jra] C:\WINDOWS\System32\Dje.exe

O4 - HKCU\..\Run: [Unq] C:\WINDOWS\System32\Olg.exe

O4 - HKCU\..\Run: [Tec] C:\WINDOWS\System32\Trn.exe

O4 - HKCU\..\Run: [Cid] C:\WINDOWS\Jcg.exe

O4 - HKCU\..\Run: [Fdq] C:\WINDOWS\Tkd.exe

O4 - HKCU\..\Run: [Thm] C:\WINDOWS\System32\Mdn.exe

O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\System32\Gdl.exe

O4 - HKCU\..\Run: [Jlu] C:\WINDOWS\Mcr.exe

O4 - HKCU\..\Run: [Ele] C:\WINDOWS\Dpq.exe

O4 - HKCU\..\Run: [Ndo] C:\WINDOWS\Kks.exe

O4 - HKCU\..\Run: [Afg] C:\WINDOWS\Vau.exe

O9 - Extra button: Advisor - {126D9184-71E9-42D0-9DE5-DEA8508E6ABF} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)

O9 - Extra button: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)
*

__________________________________________________________

The easiest method to convey this to your daughter would be to tell her to place a checkmark next to all of the O4 - Run entries with filenames that are 3 letters long.

Other than all those 3 letter filename entries, the only other entries which need checkmarking and fixing are:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
(hopefully Ares has already been uninstalled, as recommended in my first reply)

O9 - Extra button: Advisor - {126D9184-71E9-42D0-9DE5-DEA8508E6ABF} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)

O9 - Extra button: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2651BE4A-733C-4829-B5DC-FD4DCA12635B} - (no file) (HKCU)

Also, if there are ANY entries in the current log that were not in the original log, then fix those as well.

The only exception here is if there are any O10 entries. eg.
O10 - Hijacked Internet access by...
O10 - Unknown file in Winsock LSP
O10 - Broken Internet access because
of LSP provider...

Please let me know if there are ANY O10 entries.
These cannot be fixed by HJT
and will require one of LSPFix or WinsockXPFix to fix them.

_____________________________________________________

Now go to:

Start > Control Panel > Display

Click the "Desktop" tab

Click the "Customize Desktop" button

Click the "Web" tab

Uncheck and Delete all "Web pages" entries in here.

Note: Windows will not let you delete the "My Current Home Page" default entry, but make sure it's not checkmarked.

Click "OK"

Back in Display > Desktop tab . . .
Now select the desired background wallpaper from the list
Click "Apply", then click "OK" to close the Display Properties.

_____________________________________________________

Go to: Control Panel > Internet Options
General tab > Temporary Internet Files > Delete Files:
Checkmark "Delete all offline content"
Click OK

Go to the "Programs" tab, then click the "Reset Web Settings" button.
Click Apply.
Note: You then might need to reset your desired home page c/o General tab

Go to the "Security" tab
Click on "Internet Zone" and then click "Default Level"

Click Apply, then click OK to close Internet Options.

Go to: Control Panel > Folder Options > View tab:
Checkmark "show hidden files"
Uncheck "hide extensions for known file types"
Uncheck "Hide protected operating system files"
OK everything and close Folder Options

_____________________________________________________

Now would be the time to run the *cleanup.reg* file from my attachment.

Simply double click it to merge it with the registry.
Click Yes/OK to accept the merge.

_____________________________________________________

If the .reg file cannot be used, then you will need to manually edit the specified keys/strings.

Start > Run
Type: regedit
Hit Enter

I'm not going to include all of the keys from the .reg file in this list, because some of them require an experienced qualified technician to be done correctly (this is because the data values are hexidecimal/binary values, not ascii text)

Removing these two strings will fix the problem of there being no right click context menus:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoViewContextMenu=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoViewContextMenu=-

Basically, you would navigate to the "Explorer" key in the left pane, by expanding "HKEY_CURRENT_USER", then expanding "Software", etc etc, until you reach the "Explorer" sub-key.

Single left click on the "Explorer" sub-key in the left pane
Now in the right pane, if there's a string "NoViewContextMenu", right click it and select "delete".

Repeat this same action for the same string under HKEY_LOCAL_MACHINE\.....\Policies\Explorer

The following sub-key needs deleting:

HKEY_CURRENT_USER\Software\*SystemPref*

Navigate to the "SystemPref" sub-key in the left pane, right click it and select "delete".
Do NOT delete any other sub-keys under "HKEY_CURRENT_USER\Software"

Other strings which need editing in the right pane are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell folders]
"Desktop"="C:\Documents and Settings\user1\Desktop"

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
"OriginalWallpaper"="C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

To edit those strings, navigate to the specified sub-key in the left pane, then right click the specified string in the right pane and select "Modify", and then type in the specified data.

eg. using the above as an example...

Navigate to the "HKEY_CURRENT_USER\Software\.........\Explorer\Shell folders" sub-key
Right click "Desktop" in the right pane,
select "Modify"
Type in: C:\Documents and Settings\user1\Desktop

(without the quotes)

Alas, the rest of the registry fixes can only be applied by using my .reg file

Note: "user1" corresponds with the name of your daughter's user profile folder.
For other people viewing this thread, if you need to apply the same fixes, then you will need to replace all instances of "user1" with the name of your user profile folder. The .reg file in the attachment can be similarly viewed and edited in Notepad (this will be required for anyone else wishing to use the attached .reg file)

_____________________________________________________

The following steps need to be done in Safe Mode

How to boot into Safe Mode | 2

_____________________________________________________

Open the My Documents folder

Double click the *cleanup.bat* file from my attachment.

A command prompt will open and start deleting all the bad files.
If at any point you receive a prompt,
Type: Y
and/or hit Enter
Otherwise, the command prompt will do its thing and then auto exit.

_____________________________________________________

If the .bat file cannot be used....

Open "My Computer" folder and locate and delete the following files:

C:\WINDOWS\Acb.exe
C:\WINDOWS\Aku.exe
C:\WINDOWS\Bil.exe
C:\WINDOWS\Dgm.exe
C:\WINDOWS\Dpq.exe
C:\WINDOWS\Dua.exe
C:\WINDOWS\Eek.exe
C:\WINDOWS\Fck.exe
C:\WINDOWS\Fqa.exe
C:\WINDOWS\Fvi.exe
C:\WINDOWS\Fvv.exe
C:\WINDOWS\Gag.exe
C:\WINDOWS\Gbu.exe
C:\WINDOWS\Glf.exe
C:\WINDOWS\Gtf.exe
C:\WINDOWS\Hgr.exe
C:\WINDOWS\Hht.exe
C:\WINDOWS\Hkg.exe
C:\WINDOWS\Iip.exe
C:\WINDOWS\Ijb.exe
C:\WINDOWS\Ilc.exe
C:\WINDOWS\Ipt.exe
C:\WINDOWS\Jcg.exe
C:\WINDOWS\Jhh.exe
C:\WINDOWS\Jke.exe
C:\WINDOWS\Kks.exe
C:\WINDOWS\Lst.exe
C:\WINDOWS\Ltu.exe
C:\WINDOWS\Mcr.exe
C:\WINDOWS\Mjf.exe
C:\WINDOWS\Mjj.exe
C:\WINDOWS\Muc.exe
C:\WINDOWS\Mup.exe
C:\WINDOWS\Nfl.exe
C:\WINDOWS\Nnm.exe
C:\WINDOWS\Opt.exe
C:\WINDOWS\Ori.exe
C:\WINDOWS\Ptp.exe
C:\WINDOWS\Pue.exe
C:\WINDOWS\Qjn.exe
C:\WINDOWS\Qlo.exe
C:\WINDOWS\Qrs.exe
C:\WINDOWS\Rhk.exe
C:\WINDOWS\Sfh.exe
C:\WINDOWS\Sgo.exe
C:\WINDOWS\Shk.exe
C:\WINDOWS\Tkd.exe
C:\WINDOWS\Ufb.exe
C:\WINDOWS\Uoo.exe
C:\WINDOWS\Vau.exe
C:\WINDOWS\Vbd.exe
C:\WINDOWS\Vii.exe
C:\WINDOWS\Vkr.exe
C:\WINDOWS\Vld.exe
C:\WINDOWS\System32\Aqt.exe
C:\WINDOWS\System32\Bjg.exe
C:\WINDOWS\System32\Bjv.exe
C:\WINDOWS\System32\Cii.exe
C:\WINDOWS\System32\Cin.exe
C:\WINDOWS\System32\Cjt.exe
C:\WINDOWS\System32\Cmr.exe
C:\WINDOWS\System32\Crh.exe
C:\WINDOWS\System32\Cui.exe
C:\WINDOWS\System32\Dcs.exe
C:\WINDOWS\System32\Dit.exe
C:\WINDOWS\System32\Dje.exe
C:\WINDOWS\System32\Dmc.exe
C:\WINDOWS\System32\Efc.exe
C:\WINDOWS\System32\Euc.exe
C:\WINDOWS\System32\Fdg.exe
C:\WINDOWS\System32\Ffp.exe
C:\WINDOWS\System32\Fgh.exe
C:\WINDOWS\System32\Fnc.exe
C:\WINDOWS\System32\Gdl.exe
C:\WINDOWS\System32\Gtd.exe
C:\WINDOWS\System32\Ija.exe
C:\WINDOWS\System32\Iji.exe
C:\WINDOWS\System32\Ijs.exe
C:\WINDOWS\System32\Kdd.exe
C:\WINDOWS\System32\Klm.exe
C:\WINDOWS\System32\Kur.exe
C:\WINDOWS\System32\Lvr.exe
C:\WINDOWS\System32\Mdn.exe
C:\WINDOWS\System32\Mrn.exe
C:\WINDOWS\System32\Mrp.exe
C:\WINDOWS\System32\Mti.exe
C:\WINDOWS\System32\Ofg.exe
C:\WINDOWS\System32\Olg.exe
C:\WINDOWS\System32\Pqt.exe
C:\WINDOWS\System32\Qfp.exe
C:\WINDOWS\System32\Qhc.exe
C:\WINDOWS\System32\Qic.exe
C:\WINDOWS\System32\Qmr.exe
C:\WINDOWS\System32\Rns.exe
C:\WINDOWS\System32\Sin.exe
C:\WINDOWS\System32\Sjg.exe
C:\WINDOWS\System32\Tfq.exe
C:\WINDOWS\System32\Tjc.exe
C:\WINDOWS\System32\Trn.exe
C:\WINDOWS\System32\Tvp.exe
C:\WINDOWS\System32\Uag.exe
C:\WINDOWS\System32\Uhg.exe
C:\WINDOWS\System32\Vil.exe
C:\WINDOWS\System32\Vis.exe
C:\WINDOWS\System32\Voc.exe
C:\WINDOWS\System32\WINDLLSYS32.exe

Note: The .bat file in my attachment would automatically delete all those files.

If the .bat file cannot be used, then to manually delete those files (note how I've sorted them alphabetically), the best way would be to first go to the "C:\Windows" folder, click "View" menu and select "Arrange Icons By > Type". All the .exe files will now be grouped together. Then hi-lite the first file in the list (Acb.exe), and then hold down the Ctrl key and single left click all the other files specified in the above list until they are all hi-lighted (ending with Vld.exe).
Then hit "Delete".
You will be prompted if you want to delete all the specified files. Click "Yes to All".
Repeat for the files in the "C:\Windows\System32" folder (starting with Aqt.exe and ending with Voc.exe).
WINDLLSYS32.exe should be deleted immediately!

Note, many EXE files in the Windows and Windows\System32 folders are essential operating system files and must NOT be deleted, so be very careful to only delete the specified files in my list.

The following files may or may not exist.
If they are present, then they also need to be deleted:

C:\Windows\system.exe
C:\Windows\desktop.exe
C:\Windows\seksdialer.exe
C:\Windows\mstask2.exe
C:\Windows\mstask1.exe
C:\Windows\mstask3.exe
C:\Windows\mstask4.exe
C:\Windows\secure.html 
C:\Windows\Web\desktop.html
C:\Windows\System32\system32.dll
C:\Windows\System32\secure32.txt

____________________________________________________

Again, the following steps only need to be done if you cannot use the .bat file.
The .bat file will also delete all Temp files (except for one or two which can't be deleted because they are currently in use).

Empty all files in your Temp folder
Go to: Start > Run
Type: %temp%
Hit Enter
Edit menu > select all > delete

(Note, Windows won't let you delete any files that are in use, but delete all others)

Go to: C:\Windows\Temp
Delete all files
(keep the Cookies, History, Temporary Internet Files subfolders)

If it exists, do the same for "C:\Temp" (delete all files within)

____________________________________________________

Reboot into Normal Mode

Let us know how it goes...

Good luck 

____________________________________________________


----------

