[daphne512]

everytime i run a virus scan it says there is an error during cleaning. can someone help me get this off my computer.

[Advertisements]

Hi daphne512 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[Trevuren]

Hi daphne512 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[daphne512]

Logfile of HijackThis v1.99.1
Scan saved at 5:04:25 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system32\ltbjeq.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enterthesearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ltbjeq] c:\windows\system32\ltbjeq.exe ltbjeq
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130858492752
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Trevuren]

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Reboot your system

Post a fresh HJT log


Regards,

Trevuren

[daphne512]

Logfile of HijackThis v1.99.1
Scan saved at 11:08:34 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enterthesearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130858492752
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Trevuren]

A. Please update your Ewido definitions and run the program. Keep the log

B. Please post the Ewido log with a fresh HJT log and please tell me if you are still getting NaviPromo problems.


Regards,

Trevuren

[daphne512]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:38:21 AM, 3/25/2006
+ Report-Checksum: 4536757

+ Scan result:

[928] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[952] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[996] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1008] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1160] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1220] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
[1312] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1352] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1464] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1704] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1780] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1808] VM_01411000 -> Adware.NaviPromo : Error during cleaning
[1896] VM_00931000 -> Adware.NaviPromo : Error during cleaning
[192] VM_00F01000 -> Adware.NaviPromo : Error during cleaning
[492] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[528] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[572] VM_00F71000 -> Adware.NaviPromo : Error during cleaning
[592] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[620] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[796] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[832] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[932] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1192] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[2480] VM_00CD1000 -> Adware.NaviPromo : Error during cleaning
[2492] VM_01C81000 -> Adware.NaviPromo : Error during cleaning
[2496] VM_00B21000 -> Adware.NaviPromo : Error during cleaning
[2524] VM_02AD1000 -> Adware.NaviPromo : Error during cleaning
[2568] VM_00E61000 -> Adware.NaviPromo : Error during cleaning
[2664] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[2676] VM_00D41000 -> Adware.NaviPromo : Error during cleaning
[4008] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1720] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[2088] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[3504] VM_10001000 -> Adware.NaviPromo : Error during cleaning


::Report End

[Trevuren]

A. Please disable Symantec Script Blocking Service bydoing as follows:

• Go to Start > Run and type in Services.msc then click OK
  
• Click the Extended tab.
  
• Scroll down until you find the service.
  Symantec Script Blocking Service
  
• Click once on the service to highlight it.
  
• Click Stop
  
• Right-Click on the service.
  
• Click on 'Properties'
  
• Select the 'General' tab
  
• Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  
• From the drop-down menu, click on 'Disabled'
  
• Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.



B. Now rerun the Brute Force Uninstaller as previously described.


C. After rebooting, please rerun Ewido and post the results as well as a fresh HJT log.

Regards,

Trevuren

[daphne512]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:03:28 PM, 3/26/2006
+ Report-Checksum: 1C104681

+ Scan result:

[688] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[996] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1056] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1068] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1220] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1284] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
[1392] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1548] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1708] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[2008] VM_00ED1000 -> Adware.NaviPromo : Error during cleaning
[160] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[212] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[444] VM_00D91000 -> Adware.NaviPromo : Error during cleaning
[596] VM_00EC1000 -> Adware.NaviPromo : Error during cleaning
[920] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[384] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1168] VM_00F71000 -> Adware.NaviPromo : Error during cleaning
[1336] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1424] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1604] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1704] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1760] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1892] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[2672] VM_00CE1000 -> Adware.NaviPromo : Error during cleaning
[2680] VM_00B21000 -> Adware.NaviPromo : Error during cleaning
[2716] VM_03251000 -> Adware.NaviPromo : Error during cleaning
[2844] VM_00C01000 -> Adware.NaviPromo : Error during cleaning
[3048] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[3900] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[2816] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[116] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[2180] VM_10001000 -> Adware.NaviPromo : Error during cleaning
C:\Documents and Settings\Karalyn\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Karalyn\Cookies\karalyn@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 10:14:29 AM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enterthesearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130858492752
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Trevuren]

This should all be done in one sitting:

A. Disable a2 Guard. It is also interfering with our fix. If you can't disable it, uninstall the program. But you should be able to disable it from within the program.


B.

• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  
  R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

C. Run Brute Force Uninstaller

D. Reboot your system.


E. Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

• Click Download Now to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

E. Please rerun Ewido and paste the rsults.


Regards,

Trevuren

[daphne512]

11:15 AM: | Start of Session, Monday, March 27, 2006 |
11:15 AM: Spy Sweeper started
11:15 AM: Sweep initiated using definitions version 642
11:15 AM: Starting Memory Sweep
12:21 PM: Memory Sweep Complete, Elapsed Time: 01:06:24
12:21 PM: Starting Registry Sweep
12:23 PM: Found Adware: elitebar
12:23 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
12:24 PM: Found Adware: screensavers
12:24 PM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
12:25 PM: Found Adware: weirdontheweb
12:25 PM: HKCR\amnotifier.hubawindow\ (5 subtraces) (ID = 866632)
12:25 PM: HKCR\amnotifier.hubawindow.1\ (3 subtraces) (ID = 866638)
12:25 PM: Found Adware: mediapipe
12:25 PM: HKCR\downloadmanager.manager\ (5 subtraces) (ID = 866642)
12:25 PM: HKCR\downloadmanager.manager.1\ (3 subtraces) (ID = 866648)
12:25 PM: HKCR\mpagent.agent\ (5 subtraces) (ID = 866662)
12:25 PM: HKCR\mpagent.agent.1\ (3 subtraces) (ID = 866668)
12:25 PM: Found Trojan Horse: p2pnetwork
12:25 PM: HKCR\sp2p.sp2p\ (5 subtraces) (ID = 866672)
12:25 PM: HKCR\sp2p.sp2p.1\ (3 subtraces) (ID = 866678)
12:25 PM: HKCR\appid\amnotifier.exe\ (1 subtraces) (ID = 866682)
12:25 PM: HKCR\appid\downloadmanager.exe\ (1 subtraces) (ID = 866684)
12:25 PM: HKCR\appid\mpagent.dll\ (1 subtraces) (ID = 866688)
12:25 PM: HKCR\appid\sp2p.exe\ (1 subtraces) (ID = 866690)
12:25 PM: HKCR\appid\trayicon.exe\ (1 subtraces) (ID = 866692)
12:25 PM: HKCR\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (1 subtraces) (ID = 866694)
12:25 PM: HKCR\appid\{626873ac-27f3-4d48-be81-535cf2360071}\ (1 subtraces) (ID = 866696)
12:25 PM: HKCR\appid\{7911272a-a32a-404e-8a51-ee18b99b18c4}\ (1 subtraces) (ID = 866698)
12:25 PM: HKCR\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (1 subtraces) (ID = 866702)
12:25 PM: HKCR\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (1 subtraces) (ID = 866704)
12:25 PM: HKCR\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (11 subtraces) (ID = 866706)
12:25 PM: HKCR\clsid\{7bf58804-e672-4b96-8eec-bfcce6492c9a}\ (11 subtraces) (ID = 866735)
12:25 PM: HKCR\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (12 subtraces) (ID = 866747)
12:25 PM: HKCR\clsid\{dfe95408-fd86-4818-a30a-bc859d9658e1}\ (11 subtraces) (ID = 866769)
12:25 PM: HKCR\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (9 subtraces) (ID = 866796)
12:25 PM: HKCR\typelib\{97d860c4-f072-477b-b241-409f7cffb954}\ (9 subtraces) (ID = 866806)
12:25 PM: HKCR\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (9 subtraces) (ID = 866816)
12:25 PM: HKCR\typelib\{afdbb222-dea9-4c12-b3a3-a13c2985e3ee}\ (9 subtraces) (ID = 866826)
12:25 PM: HKCR\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (9 subtraces) (ID = 866836)
12:25 PM: HKLM\software\mediapipe\ (16 subtraces) (ID = 866893)
12:25 PM: HKLM\software\classes\amnotifier.hubawindow\ (5 subtraces) (ID = 866911)
12:25 PM: HKLM\software\classes\amnotifier.hubawindow.1\ (3 subtraces) (ID = 866917)
12:25 PM: HKLM\software\classes\amnotifier.hubawindow.1\clsid\ (1 subtraces) (ID = 866919)
12:25 PM: HKLM\software\classes\downloadmanager.manager\ (5 subtraces) (ID = 866921)
12:25 PM: HKLM\software\classes\downloadmanager.manager.1\ (3 subtraces) (ID = 866927)
12:25 PM: HKLM\software\classes\mpagent.agent\ (5 subtraces) (ID = 866941)
12:25 PM: HKLM\software\classes\mpagent.agent.1\ (3 subtraces) (ID = 866947)
12:25 PM: HKLM\software\classes\sp2p.sp2p\ (5 subtraces) (ID = 866951)
12:25 PM: HKLM\software\classes\appid\amnotifier.exe\ (1 subtraces) (ID = 866961)
12:25 PM: HKLM\software\classes\appid\downloadmanager.exe\ (1 subtraces) (ID = 866963)
12:25 PM: HKLM\software\classes\appid\mpagent.dll\ (1 subtraces) (ID = 866967)
12:25 PM: HKLM\software\classes\appid\sp2p.exe\ (1 subtraces) (ID = 866969)
12:25 PM: HKLM\software\classes\appid\trayicon.exe\ (1 subtraces) (ID = 866971)
12:25 PM: HKLM\software\classes\appid\{4c0b0548-ae0b-4008-999d-db33b8b2eb90}\ (1 subtraces) (ID = 866973)
12:25 PM: HKLM\software\classes\appid\{7911272a-a32a-404e-8a51-ee18b99b18c4}\ (1 subtraces) (ID = 866977)
12:25 PM: HKLM\software\classes\appid\{99c4f93d-42a7-478d-8746-4afb6c10bc26}\ (1 subtraces) (ID = 866981)
12:25 PM: HKLM\software\classes\appid\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (1 subtraces) (ID = 866983)
12:25 PM: HKLM\software\classes\clsid\{1e9adaf2-4eda-4074-96ce-c9972e675c88}\ (11 subtraces) (ID = 866985)
12:25 PM: HKLM\software\classes\clsid\{7bf58804-e672-4b96-8eec-bfcce6492c9a}\ (11 subtraces) (ID = 867014)
12:25 PM: HKLM\software\classes\clsid\{b3e19860-0cd5-4991-a066-4fca2704de59}\ (12 subtraces) (ID = 867026)
12:25 PM: HKLM\software\classes\clsid\{dfe95408-fd86-4818-a30a-bc859d9658e1}\ (11 subtraces) (ID = 867048)
12:25 PM: HKLM\software\classes\typelib\{555fb512-9f3b-4359-9d2a-3c10e750ce5e}\ (9 subtraces) (ID = 867075)
12:25 PM: HKLM\software\classes\typelib\{97d860c4-f072-477b-b241-409f7cffb954}\ (9 subtraces) (ID = 867085)
12:25 PM: HKLM\software\classes\typelib\{ab3b59a5-8bb4-46ab-a878-dfdb237d5bd5}\ (9 subtraces) (ID = 867095)
12:25 PM: HKLM\software\classes\typelib\{afdbb222-dea9-4c12-b3a3-a13c2985e3ee}\ (9 subtraces) (ID = 867105)
12:25 PM: HKLM\software\classes\typelib\{ccebbeb5-d011-41b5-9f92-01f88a38dc0d}\ (9 subtraces) (ID = 867115)
12:25 PM: HKLM\software\microsoft\windows\currentversion\uninstall\p2pnetworks\ (2 subtraces) (ID = 867156)
12:25 PM: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\program files\p2pnetworks\p2pnetworks.exe (ID = 871570)
12:25 PM: HKLM\software\altpayv2\ (23 subtraces) (ID = 1028092)
12:25 PM: HKLM\software\microsoft\windows\currentversion\uninstall\altpayv2\ (2 subtraces) (ID = 1028102)
12:25 PM: Found Adware: winad
12:25 PM: HKCR\appid\activex.dll\ || appid (ID = 1049592)
12:25 PM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
12:27 PM: Found Adware: one2one viewer
12:27 PM: HKU\S-1-5-21-861567501-839522115-1343024091-1004\software\livesvc\ (ID = 136368)
12:28 PM: Registry Sweep Complete, Elapsed Time:00:06:58
12:29 PM: Starting Cookie Sweep
12:29 PM: Found Spy Cookie: webtrendslive cookie
12:29 PM: [email protected][1].txt (ID = 3667)
12:29 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
12:29 PM: Starting File Sweep
12:32 PM: c:\program files\p2pnetworks (8 subtraces) (ID = -2147470119)
12:32 PM: c:\my accessmedia (1 subtraces) (ID = -2147469182)
12:32 PM: c:\program files\altpayv2 (ID = -2147463258)
12:35 PM: uninst.exe (ID = 162703)
3:14 PM: Found Adware: kewlbar
3:14 PM: swcsetup.exe (ID = 65037)
3:41 PM: swcsetup[1].exe (ID = 65037)
4:02 PM: p2pnetworks.exe (ID = 162702)
4:02 PM: alconfig.xml (ID = 163204)
4:02 PM: sp2p.cache (ID = 163206)
4:18 PM: Found Adware: netpal
4:18 PM: gamehouse games.url (ID = 70891)
4:18 PM: big fish games.url (ID = 70885)
4:18 PM: flyordie games.url (ID = 70890)
4:26 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:30 PM: File Sweep Complete, Elapsed Time: 04:00:36
4:30 PM: Full Sweep has completed. Elapsed time 05:14:45
4:30 PM: Traces Found: 403
5:06 PM: Removal process initiated
5:06 PM: Quarantining All Traces: elitebar
5:06 PM: Quarantining All Traces: p2pnetwork
5:06 PM: Quarantining All Traces: winad
5:06 PM: Quarantining All Traces: kewlbar
5:07 PM: Quarantining All Traces: mediapipe
5:07 PM: Quarantining All Traces: netpal
5:07 PM: Quarantining All Traces: one2one viewer
5:07 PM: Quarantining All Traces: screensavers
5:07 PM: Quarantining All Traces: weirdontheweb
5:07 PM: Quarantining All Traces: webtrendslive cookie
5:07 PM: Removal process completed. Elapsed time 00:01:26
9:33 PM: The Spy Communication shield has blocked access to: security-updater.com
9:33 PM: The Spy Communication shield has blocked access to: security-updater.com
9:34 PM: The Spy Communication shield has blocked access to: security-updater.com
9:34 PM: The Spy Communication shield has blocked access to: security-updater.com
********




Logfile of HijackThis v1.99.1
Scan saved at 9:53:55 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130858492752
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:57:36 PM, 3/27/2006
+ Report-Checksum: DA66B206

+ Scan result:

[664] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[952] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[996] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1008] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1164] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1220] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
[1340] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1428] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1540] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1724] VM_01301000 -> Adware.NaviPromo : Error during cleaning
[1784] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1800] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1912] VM_00931000 -> Adware.NaviPromo : Error during cleaning
[176] VM_00F51000 -> Adware.NaviPromo : Error during cleaning
[516] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[552] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[724] VM_00F71000 -> Adware.NaviPromo : Error during cleaning
[744] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[768] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[928] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1280] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1476] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1524] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1120] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1552] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[2204] VM_01A41000 -> Adware.NaviPromo : Error during cleaning
[2220] VM_00E51000 -> Adware.NaviPromo : Error during cleaning
[2232] VM_00DA1000 -> Adware.NaviPromo : Error during cleaning
[2288] VM_00CE1000 -> Adware.NaviPromo : Error during cleaning
[2372] VM_00BE1000 -> Adware.NaviPromo : Error during cleaning
[3620] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[3160] VM_10001000 -> Adware.NaviPromo : Error during cleaning


::Report End

[Trevuren]

Download and Save Blacklight to your desktop:

• Double-click blbeta.exe
• Accept the agreement and click NEXT.
• In the following window, click SCAN

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Do not proceed with step #2 or choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Trevuren

[daphne512]

03/27/06 22:37:45 [Info]: BlackLight Engine 1.0.33 initialized
03/27/06 22:37:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/27/06 22:38:03 [Note]: 7019 4
03/27/06 22:38:03 [Note]: 7005 0
03/27/06 22:38:47 [Note]: 7006 0
03/27/06 22:38:48 [Note]: 7011 1724
03/27/06 22:38:58 [Note]: 7024 3
03/27/06 22:38:58 [Info]: Hidden process: C:\windows\system32\ltbjeq.exe
03/27/06 22:39:04 [Note]: FSRAW library version 1.7.1015
03/27/06 22:48:37 [Info]: Hidden file: C:\WINDOWS\system32\__delete_on_reboot__msclock32.dll
03/27/06 22:48:37 [Note]: 10002 1
03/27/06 22:48:51 [Info]: Hidden file: C:\WINDOWS\system32\ltbjeq.dat
03/27/06 22:48:51 [Note]: 10002 1
03/27/06 22:48:54 [Info]: Hidden file: C:\windows\system32\ltbjeq.exe
03/27/06 22:48:56 [Note]: 10002 1
03/27/06 22:48:58 [Info]: Hidden file: C:\WINDOWS\system32\ltbjeq_nav.dat
03/27/06 22:48:58 [Note]: 10002 1
03/27/06 22:49:01 [Info]: Hidden file: C:\WINDOWS\system32\ltbjeq_navps.dat
03/27/06 22:49:01 [Note]: 10002 1

[Trevuren]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


A.

• Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
    • Download Ad-Aware SE Personal 1.05.
    • Save aawsepersonal.exe to a convenient location.
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Automatically save logfile"
    • "Automatically quarantine objects prior to removal"
    • "Safe Mode (always request confirmation)"
    • "Prompt to update outdated definitions" - change to 7 days from the default 14.
• Click "Scanning" on the left hand side to display the Scan Settings box.
  • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  • "Scan within archives"
  • "Select drives & folders to scan" - select your hard drive(s).
  • "Scan active processes"
  • "Scan registry"
  • "Deep-scan registry"
  • "Scan my IE favorites for banned URLs"
  • "Scan my Hosts file"
• Click "Advanced" on the left hand side to display the Advanced Settings box.
  • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  • "Move deleted files to Recycle Bin"
  • "Include additional object information"
  • "Include negligible objects information"
  • "Include environment information"
• Click "Defaults" on the left hand side to display the Default Settings box.
  • Make sure these items have your preferred settings in them.:
  • "Default homepage"
  • "Default searchpage"
• Click "Tweak" on the left hand side to display the Tweak Settings box.
  • Click the + (plus) sign next to the Log Files section. This will expand the section.
  • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Include basic Ad-Aware settings in log file"
    • "Include additional Ad-Aware settings in log file"
    • "Include reference summary in log file"
    • "Include alternate data stream details in log file"
  • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
  • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Unload recognized processes & modules during scan"
    • "Scan registry for all users instead of current user only"
    • "Obtain command line of scanned processes"
  • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
  • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Always try to unload modules before deletion"
    • "During removal, unload Explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot"
    • "Delete quarantined objects after restoring"
• Once you are done with these settings, click "Proceed" to save them.
• This will take you back to the main screen.

DO NOT RUN THE PROGRAM YET


B. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select
  • "Delete on Reboot
  • Then click on the "All Files" button if there are more than 1 file to delete.
• Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C
  
  C:\windows\system32\ltbjeq.exe
  C:\WINDOWS\system32\__delete_on_reboot__msclock32.dll
  C:\windows\systwm\32\msclock32.dll
  C:\WINDOWS\system32\ltbjeq.dat
  C:\windows\system32\ltbjeq.exe
  C:\WINDOWS\system32\ltbjeq_nav.dat
  C:\WINDOWS\system32\ltbjeq_navps.dat
  
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually making sure that you reboot into Safe Mode.


How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

C. Run Ad-Aware SE Personal 1.06:

• Click the "Start" button.
• Uncheck the "Search for negligible risk entries" entry.
• Choose the "Use custom scanning options" scan mode.
• Click the "Next" button.
• Ad-Aware will begin to scan for malware residing on your computer.
• Allow the scan to finish.
• Right-click on any entry in the list and click "Select All" to select the whole list.
• Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

[/list]
D. Now, while still in Safe Mode, run Ewido again and keep the log

E. Now, please Reboot back into Normal Windows Mode

F. Please now post a fresh HJT log as well as the Ewido text.


Regards,

Trevuren

[daphne512]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:54:39 PM, 3/28/2006
+ Report-Checksum: 62F54AA3

+ Scan result:

No infected objects found.


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 7:11:28 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ltbjeq] c:\windows\system32\ltbjeq.exe ltbjeq
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130858492752
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe