My Hijackthis Log

Hi VirusGirl

You certainly do have some problems there.

Please do an on-line virus scan here http://www.pandasoft...com/activescan/ Make sure that Repair/fix and heuristics are checked. Let it fix everything it can. Reboot if required.

Download and install The Cleaner from http://www.moosoft.com/ Install the program and update as instructed on the website. Let it fix everything it finds. Reboot if required.

You are running a version of Windows XP that is not updated to SP1a so you have a lot of security patches missing. Some of the hijacking and virus/trojan problems you have are preventing you from downloading from the Windows updates site. Even though the Microsoft site is blocked by the hijacker you can download the service pack from here.

http://www.softwarep...s/winxpsp1.html

If you are on dialup it's a long download - about 90 minutes. Do not try to install SP2 while you have such a high load of malware - there will be difficulties with the installation which can include not being able to startup Windows.

The Microsoft update site is listed in your log - you may need to let us know what happened when you tried to update before.

If you can't do the download straight away post a new HijackThis log so I can see what we've managed to deal with so far with the online virus scan and the trojan hunting program.

ok thanks! but b4 i download anything i have a quick question. i prefer mozilla forefox over inter exlporer.. but whenever i try to do a scan of some sort on mozilla... it always says that " ActiveScan requires the browser Microsoft
Internet Explorer 4.0 or later version"... ?? how can i fix this problem?

Hi VirusGirl123

To run the virus scan you need to use Internet Explorer the scanner only works with that browser

Please follow ilago post thank you.

kc

ok.. now im having another problem ! when i go onto internet exlporer and on2 http://www.pandasoft...com/activescan/.. i press on the virus scan icon.. and it donst do anything! i tried to refresh it and stuff but it still dosnt work.. ??? any ideas?

Please run a free online virus [url=http://housecall.antivirus.com/]scan here[/url (tick the "Auto Clean" checkbox):

And a free trojan [url=http://www.moosoft.com/]scan here:[url]

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

kc

okay.. here is my new HIJACKTHIS log after my virus scans(dosnt look ne bettter) .... wat can i delete now?

Logfile of HijackThis v1.99.0
Scan saved at 3:14:08 PM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [REGRUNM] C:\autoprotect.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [tqozx] C:\WINDOWS\System32\eudstxizlv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\hpiezyjj.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [tqozx] C:\WINDOWS\System32\eudstxizlv.exe
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106368663968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61D52F7D-7627-473A-B577-A1C7F816D1B6}: NameServer = 205.152.144.235 205.152.37.254
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

anyone have any suggestions?

Hi virusgirl

You've made quite a lot of improvements so we only have the final sorting out to do.

I'm working on that log - I'll post an answer as soon as I can. You haven't been forgotten - It just gets a bit busy sometimes

okay then!

r u ready yet.. .. not to rush u... lol

Hi virusgirl

Please disable System Restore by right-clicking the My Computer icon on the desktop > go to Properties and then the System Restore tab. Put a tick in the box "Turn off System Restore on all drives" Apply. OK.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Check if these processes are in the list - they may not be there but we need to check. If they are in the list click them in the list - then click on "Kill Process". You need to do them one at a time. Read the name very carefully as there may be some names that are similar but that are genuine files.

autoprotect.exe
navprotect.exe
BackWeb-137903.exe
ALCXMNTR.EXE
spoolvse.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, AIM, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

Please note that several of these entries are in the log more than once. Make sure you have checked each instance.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [REGRUNM] C:\autoprotect.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [tqozx] C:\WINDOWS\System32\eudstxizlv.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\hpiezyjj.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [tqozx] C:\WINDOWS\System32\eudstxizlv.exe
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe (file missing)

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Control Panel and go to Add/Remove Programs. See if WildTangent is listed. If it isn't listed - close the windows. If it is - click on Remove. Let it uninstall. Close Add/Remove. Close Control Panel.

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not be there, but use the search function in Windows Explorer to make sure.

C:\autoprotect.exe delete this file
C:\Program Files\ WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain -delete the entire WildTangent folder
C:\WINDOWS\System32\eudstxizlv.exe - delete this file
C:\WINDOWS\System32\hpiezyjj.exe delete this file


You will need to use Windows Explorer search for these. Copy and paste each name into the "All or Any part of the file name" box. In the "Look in" box Select "Local Hard Drives" from the drop-down list.

Delete each instance of these files found by search in the right hand pane. These deletions are very important:

spoolvse.exe
ALCXMNTR.EXE
navprotect.exe
p6.exe

Reboot into normal mode.

Do another on-line virus scan to make sure there are no loose ends - reboot if required. Let us know what the scan found, if anything.

Do another scan with The Cleaner and reboot if required. Let us know what the scan found, if anything.

Then do another HijackThis log and post it so it can be checked.

okay! awesome.. here is my new hijackthis log!

Logfile of HijackThis v1.99.0
Scan saved at 10:17:52 AM, on 1/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106368663968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61D52F7D-7627-473A-B577-A1C7F816D1B6}: NameServer = 205.152.144.235 205.152.37.254
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Hi virusgirl

Considering where we started - you've done a very good job

There's a few more things to do - but you also have a couple of new entries in the log. So I'm going to make some prevention suggestions first. I normally recommend the prevention when the fix is complete but as you have a couple of new entries I would like you to follow this now.
Keep using Mozilla or Firefox except for sites that can only use Internet Explorer

Download and install SpywareBlaster - to block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html
When it is installed - open the program and click on enable all protection. Close the window. This will work passively so it won't affect operation.

Download and install IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The site has a lot of information about spyware and prevention as well. The download file is way down the page so you need to scroll a long way down to find it.
https://netfiles.uiu...ww/resource.htm

It will open a command line screen to install so it doesn't have interference from Windows. You will need to read the screen menu and install all the protection. It's not hard to follow - just a bit unusual if you aren't used to the black command line screen.

Please download and install Adaware SE Personal from here: http://www.geekstogo...n=download&id=5

Open Adaware and update immediately.

Then make these changes to the settings to enable some specific scanning operations - if any are greyed out - don't worry about them.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "Customize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.
Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:
Scan registry for all users instead of current user only
Make sure the following is unchecked with a "red" X:
Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:
Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Click the "Next" button to start the scan.

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab.
To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Reboot when the scan is complete even if Adaware does not ask you to.


Once again you might like to print this bit out - or copy and paste it into Notepad.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Check for these processes in the list, select them and click on "Kill Process" the way you did before. They may not all still be there after the Adaware scan but look carefully. Read the name very carefully as there may be some names that are similar but that are genuine files.

winstat.exe
kodorjan.exe
server.exe
WinStatKeep.exe
WinStat.exe
zeta.exe
p6.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, AIM, ICQ and anything else that is not essential and click on Fix checked.

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Please use the Windows Explorer Search function as described in the posts before this one for the files - just in case they are in more than one location. Copy and paste each name into the "All or Any part of the file name" box. In the "Look in" box Select "Local Hard Drives" from the drop-down list.

kodorjan.exe - file only
navprotect.exe - file only
p6.exe - file only
server.exe - file only
C:\WINDOWS\zeta.exe - file only
C:\WINDOWS\system32\ msbe.dll file only

Find these folders and delete the entire folder in both cases

C:\Program Files\ Windows AdStatus\WinStat.exe
C:\Program Files\ SEARCH~1\SEARCH~1.DLL - the name is not complete but will start with SEARCH.....

Navigate to C:\Windows\Prefetch folder - delete all the files in it except layout.ini.

Navigate to C:\Documents and Settings\<yourusername>\Local Settings\Temp
Delete all the files in the folder including the subfolders
The Temporary internet files are in the next folder. Delete all the files in that folder and subfolders except desktop.ini and index.dat if they are there. Don't delete the sub-folders, just delete the files in them. You may lose some saved passwords, but they should all be changed anyway because you have had such a lot of spyware removed.


For some further prevention:

SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes. This will notify you of anything that is trying to make changes to your system. So you will need to read the notifications carefully just as you need to do with a firewall.

Windows XP built-in firewall is possibly not adequate in this situation as it doesn't monitor outgoing internet traffic. There are some free firewalls available that monitor incoming and outgoing traffic. You need to have this traffic controlled.

Zone Alarm Free Firewall - Zone Alarm is widely used easy to configure and there is a lot of information available to help you. You need to read each alert carefully. Google for the names if you are in doubt. You can click Allow only once to find out if it safe to let something have access.

http://www.Zonelabs.com/

Turn off Windows Firewall after you've install the firewall you like. These are another two you might like to look at.

Sygate Firewall Free version
http://www.smb.sygat...fp_standard.htm
Tiny personal firewall http://www.tinysoftware.com/

You still have two antivirus programs loaded. Decide which one you want to keep. I would suggest if your subscription on Norton's is still current that you keep that one and uninstall AVG through Control Panel > Add/Remove programs. I suspect they are conflicting as Norton would have picked up one of the new infections if it was up to date and working properly. If you are keeping Nortons you may need to uninstall and reinstall it. Some of the really bad stuff you had may have damaged either or both of the antivirus programs.

Sort out the Antivirus problem and update the one you decide to keep. Do a full scan with that. then do another with The Cleaner.

Don't download and install anything other than the items I've listed in this post.

Then do a new HijackThis log for us to have a look at.

Windows XP built-in firewall is possibly not adequate in this situation as it doesn't monitor outgoing internet traffic. There are some free firewalls available that monitor incoming and outgoing traffic. You need to have this traffic controlled.

Zone Alarm Free Firewall - Zone Alarm is widely used easy to configure and there is a lot of information available to help you.
http://www.Zonelabs.com/

Sygate Firewall Free version
http://www.smb.sygat...fp_standard.htm
Tiny personal firewall http://www.tinysoftware.com/

SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes. This will notify you of anything that is trying to make changes to your system. You will need to carefully read each alert screen to make sure that you don't permit something to happen that you don't want. By watching and reading the alerts from a firewall and Spywareguard you will learn a lot about what is happening on your system.

I think we've nearly got there

Please let me know if this is Windows XP Home or Pro and if there is more than one user. You may need to change some Windows settings also to give you additional protection.

im sorry i havnt written in a LONG time. LOL. but i got grounded from my computer and i still am... but i will soon b able to fix it... Ill write back when im "un-grounded" LOL