15 replies to this topic

[Mr.3000]

Hi eveyone, how are ya'll? I won't waste my time on greeting so I will get rite to the point.

I have a problem with IEXPLORER.EXE/iexplorer.EXE running in the background, when I try to close it in the task manager, it would just start rite back up generating another one leaving me with two of them..sometimes it would generate two rite after I close one, but it has never generated more than 2 (so in the end, I would usually have 3 of them running).

I have had this problem for a while now and it is bothering me; It usually hogs my memory causing my PC to slow down and my CPU to work overtime for no reason at all. I have tried everything from defragmenting to spyware scanning/ virus scanning. I have the microsoft anti spyware, spybot search and destroy, and adware SE personal. I run all 3 of them almost everyday and they still can't catch anything, I run Norton Antivirus 2003 pro. at the end of every week and it didn't find anything unusual, so basically, I'm lost.

Here is my task manager showing the running processes and as you can all see there are two IEXPLORER.EXE's running and no matter how much I try to close them they just keep opening NOTE: that the mem usage is low at that time, as I am not running anything else but my music, but if I were to run another program like norton anit virus, Core photo paint 11, or a game then the mem usage will climb from 50,000k-250,000k causing my programs/games/PC to slowdown and/or crash



Bolow is my Log from hijack this

Logfile of HijackThis v1.99.1
Scan saved at 12:45:59 AM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\PrivacyExpert\Shield.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Norton Anti Virus\navapsvc.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.766\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adiadorld.../JVIsUtSU/.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://umuiusqzuvjkv...5jQ0ewpPiU.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpyWare Shield] "C:\Program Files\Acronis\PrivacyExpert\Shield.exe"
O4 - HKLM\..\Run: [option send slow axis] C:\Documents and Settings\All Users\Application Data\Inside Hide Option Send\oozenew.exe
O4 - HKLM\..\Run: [Acronis Popup Blocker] RunDll32.exe C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll,Run
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [baseaxis] C:\DOCUME~1\Owner\APPLIC~1\CLOSEB~1\SiteReadme.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunboun...Crypt/npkcx.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: Process Activity Monitor (paamsrv) - Unknown owner - C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



Ad ware Log
Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 04, 2005 12:24:19 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R64 31.08.2005
???????????????????????????????????????????????????

References detected during the scan:
???????????????????????????????????????
Alexa(TAC index:5):1 total references
Lop(TAC index:7):5 total references
SahAgent(TAC index:9):4 total references
Softomate Toolbar(TAC index:9):1 total references
Startnow.Hyperbar(TAC index:8):23 total references
Tracking Cookie(TAC index:3):4 total references
Windows(TAC index:3):1 total references
???????????????????????????????????????

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-4-2005 12:24:19 AM - Scan started. (Full System Scan)

Listing running processes
??????????????????????????????????????

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 520
ThreadCreationTime : 9-3-2005 2:09:46 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 576
ThreadCreationTime : 9-3-2005 2:09:47 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 9-3-2005 2:09:51 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 9-3-2005 2:09:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 660
ThreadCreationTime : 9-3-2005 2:09:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 820
ThreadCreationTime : 9-3-2005 2:09:52 PM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright ? 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 836
ThreadCreationTime : 9-3-2005 2:09:52 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 9-3-2005 2:09:52 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 964
ThreadCreationTime : 9-3-2005 2:09:52 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [stylexpservice.exe]
FilePath : C:\Program Files\TGTSoft\StyleXP\
ProcessID : 988
ThreadCreationTime : 9-3-2005 2:09:52 PM
BasePriority : Normal
FileVersion : 0, 20, 0, 3000
ProductVersion : 0, 20, 0, 3000
ProductName : StyleXPService Module
FileDescription : StyleXPService Module
InternalName : StyleXPService
LegalCopyright : Copyright 2001
OriginalFilename : StyleXPService.EXE

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 9-3-2005 2:09:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1120
ThreadCreationTime : 9-3-2005 2:09:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1300
ThreadCreationTime : 9-3-2005 2:09:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1724
ThreadCreationTime : 9-3-2005 2:09:59 PM
BasePriority : Normal
FileVersion : 6.14.10.4116
ProductVersion : 6.14.10.4116
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright ? 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1812
ThreadCreationTime : 9-3-2005 2:09:59 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [shield.exe]
FilePath : C:\Program Files\Acronis\PrivacyExpert\
ProcessID : 1900
ThreadCreationTime : 9-3-2005 2:10:00 PM
BasePriority : Normal
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : Acronis Spyware Shield
CompanyName : Acronis
FileDescription : Acronis Spyware Shield
InternalName : shield.exe
LegalCopyright : © 2004 Acronis. All rights reserved.
OriginalFilename : shield.exe

#:17 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1916
ThreadCreationTime : 9-3-2005 2:10:00 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:18 [schedhlp.exe]
FilePath : C:\Program Files\Common Files\Acronis\Schedule2\
ProcessID : 1924
ThreadCreationTime : 9-3-2005 2:10:00 PM
BasePriority : Normal
FileVersion : 1,0,0,207
ProductVersion : 1,0,0,207
ProductName : Acronis Scheduler Helper
CompanyName : Acronis
FileDescription : Acronis Scheduler Helper
InternalName : Scheduler Helper
LegalCopyright : Copyright © 2000-2004 Acronis
LegalTrademarks : Acronis
OriginalFilename : schedhlp.exe
Comments : Acronis Scheduler Helper

#:19 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1932
ThreadCreationTime : 9-3-2005 2:10:00 PM
BasePriority : Normal
FileVersion : 5.1.0.28
ProductVersion : 5.1.0.28
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2001-2004 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:20 [winampa.exe]
FilePath : C:\Program Files\Winamp\
ProcessID : 1940
ThreadCreationTime : 9-3-2005 2:10:00 PM
BasePriority : Normal


#:21 [daemon.exe]
FilePath : D:\D-Tools\
ProcessID : 2008
ThreadCreationTime : 9-3-2005 2:10:01 PM
BasePriority : Normal


#:22 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\
ProcessID : 152
ThreadCreationTime : 9-3-2005 2:10:01 PM
BasePriority : Normal


#:23 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 184
ThreadCreationTime : 9-3-2005 2:10:01 PM
BasePriority : Normal


#:24 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 232
ThreadCreationTime : 9-3-2005 2:10:02 PM
BasePriority : Normal
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:25 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 240
ThreadCreationTime : 9-3-2005 2:10:02 PM
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright ? RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:26 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 404
ThreadCreationTime : 9-3-2005 2:10:02 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:27 [schedul2.exe]
FilePath : C:\Program Files\Common Files\Acronis\Schedule2\
ProcessID : 440
ThreadCreationTime : 9-3-2005 2:10:02 PM
BasePriority : Normal
FileVersion : 1,0,0,207
ProductVersion : 1,0,0,207
ProductName : Acronis Scheduler 2
CompanyName : Acronis
FileDescription : Acronis Scheduler 2
InternalName : Scheduler2
LegalCopyright : Copyright © 2000-2004 Acronis
LegalTrademarks : Acronis
OriginalFilename : schedul2.exe
Comments : Acronis Scheduler 2

#:28 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 348
ThreadCreationTime : 9-3-2005 2:10:02 PM
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:29 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 544
ThreadCreationTime : 9-3-2005 2:10:03 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:30 [stylexp.exe]
FilePath : C:\Program Files\TGTSoft\StyleXP\
ProcessID : 572
ThreadCreationTime : 9-3-2005 2:10:04 PM
BasePriority : Normal
FileVersion : 0, 21, 0, 0
ProductVersion : 0, 21, 0, 0
ProductName : StyleXP Application
FileDescription : StyleXP Application
InternalName : StyleXP
LegalCopyright : Copyright © 2001-2004 TGT Soft Corp
OriginalFilename : StyleXP.EXE

#:31 [navapsvc.exe]
FilePath : D:\Norton Anti Virus\
ProcessID : 944
ThreadCreationTime : 9-3-2005 2:10:04 PM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:32 [iexplore.exe]
FilePath : c:\progra~1\intern~1\
ProcessID : 952
ThreadCreationTime : 9-3-2005 2:10:04 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

Lop Object Recognized!
Type : Process
Data : dzpcpjuz.exe
TAC Rating : 7
Category : Malware
Comment : (CSI MATCH)
Object : c:\docume~1\owner\locals~1\temp\


Warning! Lop Object found in memory(c:\docume~1\owner\locals~1\temp\dzpcpjuz.exe)

"c:\docume~1\owner\locals~1\temp\dzpcpjuz.exe"Process terminated successfully
Warning! "c:\progra~1\intern~1\iexplore.exe"Process could not be terminated!

#:33 [atirw.exe]
FilePath : C:\Program Files\ATI Multimedia\RemCtrl\
ProcessID : 1240
ThreadCreationTime : 9-3-2005 2:10:05 PM
BasePriority : Realtime
FileVersion : 2.2.0.0
ProductVersion : 2.2.0.0
ProductName : ATI Remote Wonder
CompanyName : ATI Technologies Inc.
FileDescription : ATI Remote Wonder
LegalCopyright : Copyright ? 2002-2003 ATI Technologies Inc.
OriginalFilename : ATIRW.EXE

#:34 [atidtct.exe]
FilePath : C:\Program Files\ATI Multimedia\main\
ProcessID : 1264
ThreadCreationTime : 9-3-2005 2:10:05 PM
BasePriority : Normal
FileVersion : 9.02.004
ProductVersion : 9.02
ProductName : ATI Multimedia Center
CompanyName : ATI Technologies Inc.
FileDescription : ATI Device Detection Application
InternalName : AtiDtct
LegalCopyright : Copyright ? 2003 ATI Technologies Inc.
OriginalFilename : AtiDtct.EXE

#:35 [nprotect.exe]
FilePath : D:\Norton Anti Virus\AdvTools\
ProcessID : 2024
ThreadCreationTime : 9-3-2005 2:10:09 PM
BasePriority : Normal
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2003 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:36 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2260
ThreadCreationTime : 9-3-2005 2:10:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:37 [paamsrv.exe]
FilePath : C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\
ProcessID : 2300
ThreadCreationTime : 9-3-2005 2:10:11 PM
BasePriority : Normal


#:38 [symwsc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
ProcessID : 2344
ThreadCreationTime : 9-3-2005 2:10:11 PM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
LegalCopyright : Copyright © 1997-2004 Symantec Corporation
OriginalFilename : SymWSC.exe

#:39 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 2484
ThreadCreationTime : 9-3-2005 2:10:15 PM
BasePriority : Normal


#:40 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3556
ThreadCreationTime : 9-3-2005 2:10:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft? Windows? Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : ? Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:41 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 3960
ThreadCreationTime : 9-3-2005 2:10:30 PM
BasePriority : Normal


#:42 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 1748
ThreadCreationTime : 9-4-2005 3:38:28 AM
BasePriority : Normal


#:43 [wmplayer.exe]
FilePath : C:\Program Files\Windows Media Player\
ProcessID : 4044
ThreadCreationTime : 9-4-2005 3:50:00 AM
BasePriority : Normal
FileVersion : 10.00.00.3646
ProductVersion : 10.00.00.3646
ProductName : Microsoft® Windows Media Player
CompanyName : Microsoft Corporation
FileDescription : Windows Media Player
InternalName : WMPLAYER.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WMPLAYER.EXE

#:44 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1648
ThreadCreationTime : 9-4-2005 4:22:51 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:45 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~2\
ProcessID : 1628
ThreadCreationTime : 9-4-2005 4:23:39 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright ? Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
??????????????????????????????????????
New critical objects: 1
Objects found so far: 1


Started registry scan
??????????????????????????????????????

Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{cabbb49a-4d7b-415b-8250-15c3b854e9ff}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{047e7d40-fd9b-483a-934b-361c2a581506}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1960408961-1614895754-839522115-1003\software\igor v. gunko\hyperbar

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\igor v. gunko\hyperbar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1960408961-1614895754-839522115-1003\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible virus infection, REG file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : regfile\shell\open\command
Value :
Data :

Registry Scan result:
??????????????????????????????????????
New critical objects: 6
Objects found so far: 7


Started deep registry scan
??????????????????????????????????????

Deep registry scan result:
??????????????????????????????????????
New critical objects: 0
Objects found so far: 7


Started Tracking Cookie scan
??????????????????????????????????????


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:owner@revenue.net/
Expires : 6-10-2022 1:05:42 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:owner@live365.com/
Expires : 9-7-2010 11:50:20 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
??????????????????????????????????????
New critical objects: 2
Objects found so far: 9



Deep scanning and examining files (C:)
??????????????????????????????????????

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : guest@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Guest\Cookies\guest@live365[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : guest@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Guest\Cookies\guest@serving-sys[2].txt

SahAgent Object Recognized!
Type : File
Data : Uninstall.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\Program Files\INSTAFIN\



Disk Scan Result for C:\
??????????????????????????????????????
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (D:)
??????????????????????????????????????

Disk Scan Result for D:\
??????????????????????????????????????
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (H:)
??????????????????????????????????????

Disk Scan Result for H:\
??????????????????????????????????????
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (I:)
??????????????????????????????????????

Disk Scan Result for I:\
??????????????????????????????????????
New critical objects: 0
Objects found so far: 12


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
????????????????????????????????????????????????????????????????????????????

Hosts file scan result:
??????????????????????????????????????
1 entries scanned.
New critical objects:0
Objects found so far: 12




Performing conditional scans...
??????????????????????????????????????

Lop Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\shellbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

Lop Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : AutoSearch

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0cbee0cc-8f2c-47ef-99a3-ed603eb17e7f}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{10fb9211-83c0-49b3-a780-4b6fbbade434}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{12d0b72f-e3e1-4031-8c7e-0ae5dd2bf85a}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2c1b2722-1d57-448d-bb11-d3bf81afb3b5}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4978ec50-10e6-4733-bec0-01c06eb24513}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{5c1ddaac-b007-40e4-9854-322492ad2b58}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6e73fdab-e391-48af-8646-84921587858a}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7e10cc6d-fce6-49bc-a4cb-5b9b2e3e83d0}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{80be027b-759a-4938-9b1e-e6988654dac4}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{88d43288-6fef-4202-8d87-bd992d1f602f}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{89abaf9e-2c51-47a3-93d3-d563eaf847b0}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{9e37cb08-105a-4b32-a0de-05fe4f66322e}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a702688f-e3e0-406a-bb3e-ed2ca4f7f563}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c1419f7e-f0b8-4781-9d62-f307fc010ed6}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{d9a25182-7a92-4511-8981-f4414744da94}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e299bc64-1c1b-4f91-b3f4-1b8537bf5ecd}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f3aeee73-9116-48ed-8212-5e49eabe0050}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f8c39983-cefc-4bd4-bd29-659e4e1d31e1}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f97b6539-dbce-4751-8b73-5bb6502ec4c8}

Startnow.Hyperbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\igor v. gunko

SahAgent Object Recognized!
Type : Folder
TAC Rating : 9
Category : Data Miner
Comment : SahAgent
Object : C:\Program Files\INSTAFIN

SahAgent Object Recognized!
Type : File
Data : vp.dat
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\



SahAgent Object Recognized!
Type : File
Data : v.dat
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\



Conditional scan result:
??????????????????????????????????????
New critical objects: 27
Objects found so far: 39

12:41:17 AM Scan Complete

Summary Of This Scan
??????????????????????????????????????
Total scanning time:00:16:58.359
Objects scanned:175664
Objects identified:39
Objects ignored:0
New critical objects:39

NOTE: that the adware log is the one from the new verion I just downloaded so it caught more than the old one

Please take as MUCH time as you need, I would really like for this problem to be solved once and for all.

Thankyou

Mr. 3000

[Autodad]

Hi Mr.3000,

Please put Hijackthis.exe in a Permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://home.planet.n...-planation.html if you need help.

This is needed to be done as we are going to delete the contents of theTemp folder that has HJT.exe!
___________

To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner".
Then Reboot (Exit).

_ _ _ _

Set Windows to view hidden and system files:
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

After you're cleaned, please "rehide" them again.
____________

Follow this link to see if NewDotNet is still on your system:
http://www.newdotnet.com/removal.html

While still in Add/Remove Programs, remove:

SpyWare Shield

As it is listed as a Rogue/Suspect Anti-Spyware Product:
http://www.spywarewa...nti-spyware.htm
_ _ _ _

Download LSPFix from here or get the .zip file here
Then open it. newdotnet3_88.dll might be in the "Remove" pane already.
If it is, just click Finish..then reboot.

If it isn't in the remove pane;
Check the box next to "I know what I'm doing".
Click on all instances of 'newdotnet3_88.dll'. (and nothing else)
Then click the right-pointing arrows ( >> ) to send newdotnet3_88.dll to the Remove pane.
Next, click Finish
Then reboot.
_ _ _ _

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adiadorld.../JVIsUtSU/.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://umuiusqzuvjkv...5jQ0ewpPiU.html

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O4 - HKLM\..\Run: [SpyWare Shield] "C:\Program Files\Acronis\PrivacyExpert\Shield.exe"
O4 - HKLM\..\Run: [option send slow axis] C:\Documents and Settings\All Users\Application Data\Inside Hide Option Send\oozenew.exe
O4 - HKCU\..\Run: [baseaxis] C:\DOCUME~1\Owner\APPLIC~1\CLOSEB~1\SiteReadme.exe

O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunboun...Crypt/npkcx.cab



Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".


Then, reboot to Safe mode (tap F8 while restarting), and delete these folders in bold:

C:\Documents and Settings\All Users\Application Data\Inside Hide Option Send\

C:\Documents and Settings\Owner\Application Data\CLOSEB~1\ <-- there will be more of a name here, but the folder starts with CLOSEB, and contains the file SiteReadme.exe

Then reboot normally.

I see you have one or more items disabled via Msconfig, in your last HJT log.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Did you use "Selective Startup" to get to Safe Mode?
If this is one of the items you were troubleshooting relating to your problem, you need to enable that entry, as HijackThis can not "see" disabled Startup (tab) items, reboot and rescan with HijackThis. Otherwise ignore.

[Mr.3000]

Many thanks to you sir for your time in getting this problem fixed. I had almost lost all hope in trying to get this fixed. About the selective start up, no, I did not use selective startup to boot into safe mode, I booted normally (tapping F8). Once again I thankyou so very much for making this problem go away.


Here is the log file of hijackthis after 'cleaning' my machine

Logfile of HijackThis v1.99.1
Scan saved at 11:51:36 PM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ksalcbfhe...n/JVIsUtSU/.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Please just go through it to make sure that everything is 'up to par' and nothing seems to be out of the ordinary.

[Autodad]

Hi Mr.3000,

You're welcome.

Try doing this in Safe mode.
Reboot to Safe mode (tap F8 while restarting).


Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ksalcbfhe...n/JVIsUtSU/.php

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)


Now Close all open Windows (have only HJT open) and click "Fix Checked".

Then reboot normally.

Let's take a look to see if there is a reason for the R1 entry to return.
Open Notepad, copy and paste the Quote below, "Save As" findjobs.bat Save it to your desktop.
In the "Save as type" select: All files.

dir %Windir%\tasks /a h > files.txt
notepad files.txt

Next: Doubleclick on findjobs.bat and post the content of the .txt file you get in your next reply.

And please post a new HJT log.

[Mr.3000]

Sorry It has taken me this long to reply back to you sir. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:34:20 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zlvnbjijz..._Y0NHsKT4l.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lkonfognq...UrKLrVA5zsY.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O2 - BHO: (no name) - {FACBA344-3714-0B6D-5898-51E0536B2C00} - C:\DOCUME~1\Owner\APPLIC~1\BlahIso\rule cash.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [option send slow axis] C:\Documents and Settings\All Users\Application Data\Inside Hide Option Send\Dent view.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [baseaxis] C:\DOCUME~1\Owner\APPLIC~1\CLOSEB~1\SiteReadme.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

And this is the 'log' from findjobs.bat

Volume in drive C is OS
Volume Serial Number is 4141-0163

Directory of C:\WINDOWS\tasks

09/10/2004 01:40 AM <DIR> .
09/10/2004 01:40 AM <DIR> ..
03/31/2003 08:00 AM 65 desktop.ini
09/12/2005 09:24 PM 6 SA.DAT
09/02/2005 12:00 PM 446 Norton AntiVirus - Scan my computer.job
09/12/2005 05:48 PM 364 Symantec NetDetect.job
09/12/2005 09:00 PM 266 AEE34B0F91ACC9BB.job
09/12/2005 09:00 PM 266 A8F3842091B835D4.job
6 File(s) 1,413 bytes

Directory of C:\Documents and Settings\Owner\Desktop

[Autodad]

Hi Mr.3000,

No need to apologize.
Hmm....
C:\Program Files\MessengerPlus! 3\MsgPlus.exe

At least we know why you still have the LOP infection.
That wasn't showing in your previous logs.

LOP is installed when you get "Messenger Plus 3".
The proper way to remove it is to Uninstall "Messenger Plus 3".
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
and Remove "Messenger Plus 3".
If you insist on using "Messenger Plus 3" reinstall without the "Sponsor Software"
Note: Sponsor Software = C2Media\LOP (parasite) [mysearchnow.com]

This link explains more, if needed:
http://inetexplorer....answers/43.html
_______

After you remove Messenger Plus 3...

Open Notepad copy and paste the Quote below, "Save As" remjob.bat Save it to your desktop.
In the "Save as type" select: All files.

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h AEE34B0F91ACC9BB.job
del AEE34B0F91ACC9BB.job
attrib -r -s -h A8F3842091B835D4.job
del A8F3842091B835D4.job

Then doubleclick on remjob.bat. A dos window will open and close again, this is normal.

Afterwards, doubleclick on findjobs.bat again and paste the content of the .txt file you get in your next reply.

Then post a new HJT log also....

[Mr.3000]

Here is what you asked for sir:

Findjob.bat 'log'

Volume in drive C is OS
Volume Serial Number is 4141-0163

Directory of C:\WINDOWS\tasks

09/10/2004 01:40 AM <DIR> .
09/10/2004 01:40 AM <DIR> ..
03/31/2003 08:00 AM 65 desktop.ini
09/12/2005 09:24 PM 6 SA.DAT
09/02/2005 12:00 PM 446 Norton AntiVirus - Scan my computer.job
09/12/2005 09:48 PM 364 Symantec NetDetect.job
4 File(s) 881 bytes

Directory of C:\Documents and Settings\Owner\Desktop


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 10:54:32 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqxvbyeho..._Y0NHsKT4l.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\Owner\LOCALS~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thankyou :thumbup:

[Autodad]

Hi Mr.3000,

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
___________

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqxvbyeho..._Y0NHsKT4l.html

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\Owner\LOCALS~1\Temp\MsgPlusUninst.bat"


Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".


Then reboot.

Run HJT again, and if any of the same entries above are showing, try "fixing" them in Safe mode.


Download:Registry Search Tool (RegSrch.zip) [freeware]
http://billsway.com/vbspage/

To use: unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run.

Next: (type) {EA756889-2338-43DB-8F07-D1CA6FB9C90D} and wait, you will get a prompt to open the results in Wordpad.

Copy and paste the contents in your next message.

After the above, repeat and enter:
{00A6FAF6-072E-44cf-8957-5838F569A31D}

And please post a new HJT log also.

[Mr.3000]

Hello sir,

These are the RegSrch.vbs 'logs'

Log for registry key: {EA756889-2338-43DB-8F07-D1CA6FB9C90D}

REGEDIT4
; RegSrch.vbs ? Bill James

; Registry search results for string "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" 9/13/2005 8:11:31 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1960408961-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"=""

------------------------------------------------------------------------------------------------------------------------

Log2: {00A6FAF6-072E-44cf-8957-5838F569A31D}

REGEDIT4
; RegSrch.vbs ? Bill James

; Registry search results for string "{00A6FAF6-072E-44cf-8957-5838F569A31D}" 9/13/2005 8:13:57 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1960408961-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D}"=""


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:23:48 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Autodad]

Hello Mr.3000,

Copy the contents of the code box to Notepad.
Name the file Search hooks.reg
Save as Type : all files
Then save it to your Desktop

Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-1960408961-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_USERS\S-1-5-21-1960408961-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"=""

[HKEY_USERS\S-1-5-21-1960408961-1614895754-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00A6FAF6-072E-44cf-8957-5838F569A31D}"=""

Close all internet Related programs
Double click on Search hooks.reg and say yes to the prompt.

Then reboot and please post a new HJT Log.

[Mr.3000]

I've been rather busy, so please bare with me in how long it takes for me to reply .....



Logfile of HijackThis v1.99.1
Scan saved at 11:51:41 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Autodad]

Hi Mr.3000,

Don't give it a thought. Reply whenever you want. :)


You need to disable Microsoft AntiSpyware....


Reboot to Safe mode (tap F8 while restarting).

Open Hijackthis, click Scan, then put a check next to the following entries:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)


Now Close all open Windows (have only HJT open) and click "Fix Checked".


Then reboot normally and please post a new HJT log.

[Mr.3000]

Logfile of HijackThis v1.99.1
Scan saved at 3:41:01 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
D:\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Norton Anti Virus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton Anti Virus\NavShExt.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Anti Virus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton Anti Virus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Norton Anti Virus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Autodad]

Hi Mr.3000,

Opps! I missed one:


Open Hijackthis, click Scan, then put a check next to the following entry:

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then reboot.

Other than that, your log looks clean.

If you're not having any problems, then here are some suggestions to clean/protect your PC:
(Some may be redundant, so only use those that apply...)

I recommend that you get AdAware SE
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.
Do a scan with AdAware and Remove Everything it suggests.

Then, also get Spybot: Search and Destroy
Check for Updates first, download ALL Updates and Do a Scan.
When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Keep them updated, and run them periodically.
_ _ _ _ _

Then click Start | Run (type) cleanmgr
Select the following:
1) Temporary Internet Files
2) Recycle Bin
3) Temporary Files

When completed Reboot.
_ _ _ _ _

Also go to Windows Update to keep up on all the latest security patches that apply to your PC.
Check Windows' Update site frequently, as new patches come out often. You don't need to install all the updates offered, but ALWAYS get the latest security updates available.
_ _ _ _ _

Then, it is not an option these days to be on the internet without and Updated Anti-Virus. If you have one, check it for updates frequently (or set it to "Auto" update). If you don't have one, or can't afford one, a good free one to use is AVG .
Have a look at this link: http://www.mvps.org/...lp2002/avg7.htm

Just as it is important to have an updated Anti-virus, it's equally important to have a Firewall these days. Again, if you can't afford one, this is a good free one:

Sygate Personal Firewall.
_ _ _ _ _

Then I recommend you clean out your System Restore
Doing this will remove all your restore points, and any infections that might be hanging in there.

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives".
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.

After you have restarted, turn System Restore back on:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.

Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.
_ _ _ _ _

Here is a link that explains how to Clear Out Forgotten Programs, Free Up Wasted Space, Defragment Your Computer, etc...

http://www.microsoft...estoreperf.mspx
_ _ _ _ _

Here are some good links to follow to make your Internet Explorer more secure:

http://www.mvps.org/.../restricted.htm
http://mvps.org/winh...02/unwanted.htm
_ _ _ _ _

Here is some free protection you should also consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check them for updates occasionally.


And also see So how did I get infected in the first place?

Let us know if you have any concerns,

Stay safe!

[Mr.3000]

Many thanks to you Autodad for going out of your way and helping me clear up this 'mess' on my computer, I can now sleep peacfully tonite without having to worry about any potential infections.

Take care eveyone,

Mr.3000 ;)