Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Derbiz[RESOLVED]

Started by acox , Apr 29 2005 06:26 AM

  • This topic is locked This topic is locked

#1
acox
Posted 29 April 2005 - 06:26 AM

acox

    Member

  • Member
  • PipPip
  • 15 posts
I have run Ad-aware, spybot, Windows CleanUp!, Windows AntiSpyware and still can't get rid of it! Here is my current Hijack This Log.

Logfile of HijackThis v1.99.1
Scan saved at 12:49:26, on 29/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\svchst.exe
C:\WINDOWS\clfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qgb9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ffujrvecsjr] C:\WINDOWS\System32\flgxspqr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejei32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O4 - HKLM\..\RunServices: [sex service] winsysengine.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/...ne/ringtone.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe


I am having to use a different computer to write this as Derbiz keeps on disconnecting my connection on my other computer!

Thanks for your help

Andrew Cox
  • 0

Advertisements

#2
Metallica
Posted 29 April 2005 - 06:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [ffujrvecsjr] C:\WINDOWS\System32\flgxspqr.exe

O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejei32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O4 - HKLM\..\RunServices: [sex service] winsysengine.exe

Reboot into safe mode and delete:
C:\WINDOWS\svchst.exe
C:\WINDOWS\clfmon.exe
C:\windows\system32\elitejei32.exe
C:\WINDOWS\System32\uk_nm.exe
C:\WINDOWS\System32\flgxspqr.exe

Run a virus scan. For example use ActiveScan - Save the results from the scan!

Regards,
  • 0

#3
acox
Posted 30 April 2005 - 06:44 AM

acox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks I've donw that. I used Avast! antivirus as that is what I have installed and updated. Here is the log:

*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Saturday, April 30, 2005 12:38:38 PM
* VPS: 0517-6, 30/04/2005
*

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdmilliService.zip\ide21201.vxd [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdmilliService.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdmilliService1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdmilliService1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazeFindBrowserhelper.zip\2_0_1browserhelper2.dll [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazeFindBrowserhelper.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazeFindBrowserhelper1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BlazeFindBrowserhelper1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip\multimpp.inf [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz1.zip\preInMPP.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip\multimpp.cab [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip\multimpp.dll [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip\multimpp.inf [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip\preInMPP.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\localNrd.cab [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\localNRD.dll [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\localNrd.inf [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\polall1l.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\preInsln.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz4.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz4.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz5.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz5.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz6.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz6.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Catal.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Catal.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Catal1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Catal1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Comload.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Comload.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoulombLtdContentAccessPlugin.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoulombLtdContentAccessPlugin.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoulombLtdContentAccessPlugin1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoulombLtdContentAccessPlugin1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\EffectiveBandToolbar.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\EffectiveBandToolbar.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy1.zip\bbchk.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy2.zip\exdl.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy2.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy3.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy3.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy4.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy4.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy5.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy5.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy6.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy6.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy7.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy7.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy8.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy8.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets1.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets1.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets2.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets2.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets3.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets3.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets4.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets4.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets5.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaTickets5.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebRebatesTopRebates.zip\jkill.exe [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebRebatesTopRebates.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindUpdates.zip\sbRecovery.reg [E] Archive is password protected. (42056)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindUpdates.zip\sbRecovery.ini [E] Archive is password protected. (42056)
C:\Documents and Settings\Owner\My Documents\My Pictures\VN750\NIS_Retail.EXE.xds\NAV\External\NORTON\CfgWiz.exe [E] RAR archive is corrupted. (42126)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\META-INF\services\java.nio.charset.spi.CharsetProvider [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharBig5.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharBig5_HKSCS.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharBig5_Solaris.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp037.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp1006.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp1025.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp1026.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp1046.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\charsets.jar\sun\io\ByteToCharCp1097.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\thai_dict [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\BreakIteratorRules_th.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_ar.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_be.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_bg.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_ca.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_cs.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_da.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_de.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\ext\localedata.jar\sun\text\resources\DateFormatZoneData_de_AT.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\usability\about.gif [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\usability\cup1.gif [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\usability\graybox_broken.gif [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_de.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_es.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_fr.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_it.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_ja.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jaws.jar\sun\plugin\resources\ControlPanelHelp_ko.html [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\Intel\SunJSSE_cp.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\Intel\SunJSSE_d5.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\Intel\SunJSSE_e7.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b0.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b1.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b2.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b3.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b4.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_b5.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\jsse.jar\COM\rsa\asn1\SunJSSE_bw.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.sampled.spi.AudioFileReader [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.sampled.spi.AudioFileWriter [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.sampled.spi.FormatConversionProvider [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.midi.spi.MidiDeviceProvider [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.midi.spi.MidiFileReader [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.midi.spi.MidiFileWriter [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.sampled.spi.MixerProvider [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.print.PrintServiceLookup [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.sound.midi.spi.SoundbankReader [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java\j2re1.4.1_02\lib\rt.jar\META-INF\services\javax.print.StreamPrintServiceFactory [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\META-INF\MANIFEST.MF [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\BasicService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\ClipboardService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\DownloadService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\DownloadServiceListener.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\ExtensionInstallerService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\FileContents.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\FileOpenService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\FileSaveService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\JNLPRandomAccessFile.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Java Web Start\javaws.jar\javax\jnlp\PersistenceService.class [E] ZIP archive is corrupted. (42125)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\default.skn [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab1.bmp [E] Archive is password protected. (42056)
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab2.bmp [E] Archive is password protected. (42056)
Infected files: 0
Total files: 202873
Total folders: 2705
Total size: 12.5 GB

*
* Task stopped: Saturday, April 30, 2005 1:05:51 PM
* Run-time was 27 minute(s), 13 second(s)
*


And the new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 13:42:26, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Virus Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qgb9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qgb9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/...ne/ringtone.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe



thanks you again for your excellent help!
  • 0

#4
Metallica
Posted 30 April 2005 - 08:14 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. :tazz:

Please copy the part in bold below into notepad and save it as noASD.reg
Doubleclick the file and confirm you want to merge it with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutodial" = "0"

[-HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN]

Beware that the EnableAutodial might have had the value 1 before the infection.
If so you can enable it again in IE under Tools > Internet Options on the Connections tab.

Your log is clean. Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#5
acox
Posted 30 April 2005 - 11:14 AM

acox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thank you for youe help, it was superb. saved me. thank you again
  • 0

#6
Metallica
Posted 30 April 2005 - 11:18 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP