marathonman330
asked on
Need help cleaning DriveCleaner
I am getting a popup on a Win XP PC that tries to get the user to purchase DriveCleaner. I would appreciate help with what specific removal tool to use. Below is the hijackthis log. Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 5:11:16 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\psmcsh .exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\UAServ ice7.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\system32\dllhos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\system32\hphmon 06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
C:\WINDOWS\ehome\ehtray.ex e
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\eHome\ehmsas.ex e
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexe c.exe
C:\hijackthis\HijackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A 6DBE267745 2} - C:\Program Files\VSAdd-in\VSAdd-in.dl l
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45 87-8DD3-EB C57C83374D }\hphupd06 .exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon 06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex e
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex e
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw xqa.dll",s etvm
O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.e xe" /c "C:\DOCUME~1\HP_ADM~1\LOCA LS~1\Temp\ isDel.bat"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a 92d743db94 9} - C:\Documents and Settings\Bennett Spunky Mon'\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136953563031
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh .exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ ice7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 5:11:16 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Symantec\LiveUpdate\
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\psmcsh
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\UAServ
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\system32\dllhos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bi
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.
C:\windows\system\hpsysdrv
C:\WINDOWS\system32\hphmon
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO
C:\WINDOWS\ehome\ehtray.ex
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\eHome\ehmsas.ex
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexe
C:\hijackthis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw
O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
marathonman330,
I ran an analysis of your HijackThis log at http://hijackthis.de then saved the result and posted a link to the result here.
http://hijackthis.de/logfiles/d7af53e2f9de34f806de463a7df1c983.html
1. Delete this file
C:\WINDOWS\system32\psmcsh .exe
If you cannot delete it, use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.
Killbox to remove stubborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html
2. Uninstall Viewpoint software from Add/Remove Programs.
Uninstall Optimum Online or Netsurf from Add/Remove Programs.
3. Check the box next to the following items and have HijackThis "Fix Checked".
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A 6DBE267745 2} - C:\Program Files\VSAdd-in\VSAdd-in.dl l
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw xqa.dll",s etvm
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a 92d743db94 9} - C:\Documents and Settings\Bennett Spunky Mon'\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh .exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe (file missing)
I ran an analysis of your HijackThis log at http://hijackthis.de then saved the result and posted a link to the result here.
http://hijackthis.de/logfiles/d7af53e2f9de34f806de463a7df1c983.html
1. Delete this file
C:\WINDOWS\system32\psmcsh
If you cannot delete it, use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.
Killbox to remove stubborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html
2. Uninstall Viewpoint software from Add/Remove Programs.
Uninstall Optimum Online or Netsurf from Add/Remove Programs.
3. Check the box next to the following items and have HijackThis "Fix Checked".
C:\Program Files\Viewpoint\Common\Vie
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
You're heavily infected plus some nasties are still hiding from the scan.
Can you please rename Hijackthis.exe to something else, the hidden nasty is monitoring "hijackthis/exe" process that's why it's not showing in your log.
Rename hijackthis and show us the logfile of the renamed "hijackthis.exe' or use the already renamed one below:
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Can you please rename Hijackthis.exe to something else, the hidden nasty is monitoring "hijackthis/exe" process that's why it's not showing in your log.
Rename hijackthis and show us the logfile of the renamed "hijackthis.exe' or use the already renamed one below:
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Whenever I try to boot into Safe Mode, the screen is blank and my monitor gives me a message to Please Check PC Display Settings. I have tried going in hitting F8, etc. and by going into System Config Utility - boot.ini - /safeboot - minimal. I have also tried 3 different monitors. I keep having to shutdown Windows with the power button and am worried this may be causing corruption. Could the spyware/adware on here be preventing me from going into Safe Mode?
SDFix has to be run in Safe Mode, so don't worry about that for now.
OK, can you please give us the log of the renamed hijackthis first.
OK, can you please give us the log of the renamed hijackthis first.
ASKER
Here it is. Thank you.
Logfile of HijackThis v1.99.1
Scan saved at 10:05:33 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\psmcsh .exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\UAServ ice7.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\system32\rsbmsc .exe
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\system32\hphmon 06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
C:\WINDOWS\ehome\ehtray.ex e
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhos t.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\eHome\ehmsas.ex e
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\hijackthis\alternativ.e xe
C:\Program Files\HP\Digital Imaging\bin\cdrfinder.exe
C:\Program Files\HP\Digital Imaging\bin\ImageZoneSynch RulesAgent .exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8 88B9CFEC51 A} - C:\WINDOWS\system32\ddccc. dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D BBEC8573B0 3} - C:\Program Files\VSAdd-in\VSAdd-in.dl l
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F 0E517565D5 0} - C:\WINDOWS\system32\ovdjvb xf.dll
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A 578B7C4C41 7} - C:\WINDOWS\system32\awttur o.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A 6DBE267745 2} - C:\Program Files\VSAdd-in\VSAdd-in.dl l
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45 87-8DD3-EB C57C83374D }\hphupd06 .exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon 06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex e
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex e
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw xqa.dll",s etvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe /STARTUP
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a 92d743db94 9} - C:\Documents and Settings\Bennett Spunky Mon'\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136953563031
O20 - Winlogon Notify: awtturo - C:\WINDOWS\SYSTEM32\awttur o.dll
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc. dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh .exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ ice7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe
Logfile of HijackThis v1.99.1
Scan saved at 10:05:33 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\psmcsh
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\UAServ
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\system32\rsbmsc
C:\Program Files\Java\j2re1.4.2_03\bi
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.
C:\windows\system\hpsysdrv
C:\WINDOWS\system32\hphmon
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhos
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\eHome\ehmsas.ex
C:\WINDOWS\system32\wuaucl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\hijackthis\alternativ.e
C:\Program Files\HP\Digital Imaging\bin\cdrfinder.exe
C:\Program Files\HP\Digital Imaging\bin\ImageZoneSynch
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ovfsw
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O20 - Winlogon Notify: awtturo - C:\WINDOWS\SYSTEM32\awttur
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
vundo and conhook are showing in your log file,
please run Vundofix.exe.........and if vundofix doesn't find any files, you then run virtumondoBeGone.exe that I mentioned in my other post,
then we'll cleanup the rest afterwards.
please run Vundofix.exe.........and if vundofix doesn't find any files, you then run virtumondoBeGone.exe that I mentioned in my other post,
then we'll cleanup the rest afterwards.
If those fail then we'll use Avenger to take care of the files.
ASKER
Here is hijackthis (after running vundofix), followed by the vundofix report. Thank you!
Logfile of HijackThis v1.99.1
Scan saved at 10:45:53 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\system32\psmcsh .exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\UAServ ice7.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rsbmsc .exe
C:\WINDOWS\system32\dllhos t.exe
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\system32\hphmon 06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
C:\WINDOWS\ehome\ehtray.ex e
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
C:\WINDOWS\eHome\ehmsas.ex e
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\hijackthis\alternativ.e xe
C:\Program Files\HP\Digital Imaging\bin\ImageZoneSynch RulesAgent .exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8 88B9CFEC51 A} - C:\WINDOWS\system32\ddccc. dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D BBEC8573B0 3} - C:\Program Files\VSAdd-in\VSAdd-in.dl l (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F 0E517565D5 0} - C:\WINDOWS\system32\ovdjvb xf.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A 578B7C4C41 7} - C:\WINDOWS\system32\awttur o.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A 6DBE267745 2} - C:\Program Files\VSAdd-in\VSAdd-in.dl l (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend. exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45 87-8DD3-EB C57C83374D }\hphupd06 .exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon 06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO LSoftware. exe
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex e
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex e
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe /STARTUP
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a 92d743db94 9} - C:\Documents and Settings\Bennett Spunky Mon'\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136953563031
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ ALUSchedul erSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh .exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ ice7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe
VUNDOFIX
VundoFix V6.3.5
Checking Java version...
Java version is 1.4.2.3
Scan started at 10:34:05 PM 2/3/2007
Listing files found while scanning....
C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\PageHistory.txt
C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\WebHistory.txt
C:\Program Files\VSAdd-in\VSAdd-in.dl l
C:\WINDOWS\system32\aqxwsf vo.ini
C:\WINDOWS\system32\awttur o.dll
C:\WINDOWS\system32\cccdd. bak1
C:\WINDOWS\system32\cccdd. bak2
C:\WINDOWS\system32\cccdd. ini
C:\WINDOWS\system32\cccdd. ini2
C:\WINDOWS\system32\cccdd. tmp
C:\WINDOWS\system32\ddccc. dll
C:\WINDOWS\system32\iquhgt mk.exe
C:\WINDOWS\system32\ovdjvb xf.dll
C:\WINDOWS\system32\ovfswx qa.dll
Beginning removal...
Attempting to delete C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\PageHistory.txt
C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\PageHistory.txt Has been deleted!
Attempting to delete C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\WebHistory.txt
C:\Documents and settings\HP_Administrator\ Applicatio n Data\SearchToolbarCorp\Too lbar Vision\WebHistory.txt Has been deleted!
Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dl l
C:\Program Files\VSAdd-in\VSAdd-in.dl l Has been deleted!
Attempting to delete C:\WINDOWS\system32\aqxwsf vo.ini
C:\WINDOWS\system32\aqxwsf vo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\awttur o.dll
C:\WINDOWS\system32\awttur o.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\cccdd. bak1
C:\WINDOWS\system32\cccdd. bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd. bak2
C:\WINDOWS\system32\cccdd. bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd. ini
C:\WINDOWS\system32\cccdd. ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd. ini2
C:\WINDOWS\system32\cccdd. ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd. tmp
C:\WINDOWS\system32\cccdd. tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddccc. dll
C:\WINDOWS\system32\ddccc. dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iquhgt mk.exe
C:\WINDOWS\system32\iquhgt mk.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\ovdjvb xf.dll
C:\WINDOWS\system32\ovdjvb xf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ovfswx qa.dll
C:\WINDOWS\system32\ovfswx qa.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awttur o.dll
C:\WINDOWS\system32\awttur o.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 10:45:53 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Symantec\LiveUpdate\
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\system32\psmcsh
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\UAServ
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rsbmsc
C:\WINDOWS\system32\dllhos
C:\Program Files\Java\j2re1.4.2_03\bi
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\WINDOWS\system32\RUNDLL
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.
C:\windows\system\hpsysdrv
C:\WINDOWS\system32\hphmon
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1148602157\ee\AO
C:\WINDOWS\ehome\ehtray.ex
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MyWebSearch\bar\1.bi
C:\WINDOWS\eHome\ehmsas.ex
C:\Program Files\iPod\bin\iPodService
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuaucl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\hijackthis\alternativ.e
C:\Program Files\HP\Digital Imaging\bin\ImageZoneSynch
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-45
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148602157\ee\AO
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.ex
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\system32\psmcsh
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAServ
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
VUNDOFIX
VundoFix V6.3.5
Checking Java version...
Java version is 1.4.2.3
Scan started at 10:34:05 PM 2/3/2007
Listing files found while scanning....
C:\Documents and settings\HP_Administrator\
C:\Documents and settings\HP_Administrator\
C:\Program Files\VSAdd-in\VSAdd-in.dl
C:\WINDOWS\system32\aqxwsf
C:\WINDOWS\system32\awttur
C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\ddccc.
C:\WINDOWS\system32\iquhgt
C:\WINDOWS\system32\ovdjvb
C:\WINDOWS\system32\ovfswx
Beginning removal...
Attempting to delete C:\Documents and settings\HP_Administrator\
C:\Documents and settings\HP_Administrator\
Attempting to delete C:\Documents and settings\HP_Administrator\
C:\Documents and settings\HP_Administrator\
Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dl
C:\Program Files\VSAdd-in\VSAdd-in.dl
Attempting to delete C:\WINDOWS\system32\aqxwsf
C:\WINDOWS\system32\aqxwsf
Attempting to delete C:\WINDOWS\system32\awttur
C:\WINDOWS\system32\awttur
Attempting to delete C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
Attempting to delete C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
Attempting to delete C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
Attempting to delete C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
Attempting to delete C:\WINDOWS\system32\cccdd.
C:\WINDOWS\system32\cccdd.
Attempting to delete C:\WINDOWS\system32\ddccc.
C:\WINDOWS\system32\ddccc.
Attempting to delete C:\WINDOWS\system32\iquhgt
C:\WINDOWS\system32\iquhgt
Attempting to delete C:\WINDOWS\system32\ovdjvb
C:\WINDOWS\system32\ovdjvb
Attempting to delete C:\WINDOWS\system32\ovfswx
C:\WINDOWS\system32\ovfswx
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awttur
C:\WINDOWS\system32\awttur
Performing Repairs to the registry.
Done!
Okay good, vundo and conhook is gone.
But you're not done yet, now see if you can run SDFix in safe mode because you still have the SDBot worm there. If you still can't, then we'll cripple the infection a little bit by using avenger to delete the SDBot file.
We'll clean up the hijackthis entries after.
But you're not done yet, now see if you can run SDFix in safe mode because you still have the SDBot worm there. If you still can't, then we'll cripple the infection a little bit by using avenger to delete the SDBot file.
We'll clean up the hijackthis entries after.
ASKER
I still can't boot into Safe Mode for some mysterious reason. How do I clean SDBot with Avenger and what should I do with hijackthis? Thank you.
Have you tries using System Restore? sorry if this has been mentioned I didn't re-read everything that's been posted.
Not being able to boot to safe mode could also because this key below has been damaged, I have a regfile that fixes or restore default Safeboot, if you want to tyr that.
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet 001\Contro l\SafeBoot
Not being able to boot to safe mode could also because this key below has been damaged, I have a regfile that fixes or restore default Safeboot, if you want to tyr that.
HKEY_LOCAL_MACHINE\SYSTEM\
ASKER
After all the cleaning and uninstalling I've done already (not all of it mentioned here) I don't want to do System Restore now. I'm interested in any possible fixes for the Safe Mode issue or just how to finish up the cleaning without going into Safe Mode. Thank you.
If it was just an SDBot variant, I'd help you clean it up manually without SDFix.
but this entry in your log is of HackerDefender so I'm counting on SDFix to do the job.
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe
I'll upload the safeboot.zip and you can then run that to fix safeboot key, this is only for XP with SP2
but this entry in your log is of HackerDefender so I'm counting on SDFix to do the job.
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
I'll upload the safeboot.zip and you can then run that to fix safeboot key, this is only for XP with SP2
Safebootfix.zip uploaded.
View all files for Question ID: 22148437
https://filedb.experts-exchange.com/incoming/ee-stuff/2328-Safebootfix.zip
Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/2328-Safebootfix.zip
View all files for Question ID: 22148437
https://filedb.experts-exchange.com/incoming/ee-stuff/2328-Safebootfix.zip
Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/2328-Safebootfix.zip
ASKER
I still can't boot into Safe Mode. As described above, there is some kind of display issue that no one in the world has ever seen or knows how to resolve. I need to return this PC to it's owner tomorrow so we just need to do our best to clean this up. Thank you for all your help.
Okay, in the absence of SDFix, the next best thing is Dr.WebCureIt, and Also Superantispyware, these 2 scanners are good.
You can uninstall these not recommended programs:
MyWebSearch
Optimum Online <-- not recommended but he probably installed it.
Viewpoint Manager
Then go Start > Run > type in
cmd
press Enter
type each of these commands pressing Enter after each:
sc stop PrntCSh
sc delete PrntCSh
sc stop xnctyur5toasoeee
sc delete xnctyur5toasoeee
Then delete or Killbox these files:
C:\WINDOWS\system32\rsbmsc .exe
C:\WINDOWS\System32\psmcsh .exe
Then fix these entries in Hijackthis, some will not be present don't worry:
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8 88B9CFEC51 A} - C:\WINDOWS\system32\ddccc. dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D BBEC8573B0 3} - C:\Program Files\VSAdd-in\VSAdd-in.dl l (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F 0E517565D5 0} - C:\WINDOWS\system32\ovdjvb xf.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A 578B7C4C41 7} - C:\WINDOWS\system32\awttur o.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A 6DBE267745 2} - C:\Program Files\VSAdd-in\VSAdd-in.dl l (file missing)
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc .exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi n\MWSOEMON .EXE
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\System32\psmcsh .exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc .exe
Then these 2 scanners should clean whatever is left behind:
1.Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha cktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
2. http://www.superantispyware.com/
You can uninstall these not recommended programs:
MyWebSearch
Optimum Online <-- not recommended but he probably installed it.
Viewpoint Manager
Then go Start > Run > type in
cmd
press Enter
type each of these commands pressing Enter after each:
sc stop PrntCSh
sc delete PrntCSh
sc stop xnctyur5toasoeee
sc delete xnctyur5toasoeee
Then delete or Killbox these files:
C:\WINDOWS\system32\rsbmsc
C:\WINDOWS\System32\psmcsh
Then fix these entries in Hijackthis, some will not be present don't worry:
O2 - BHO: (no name) - {02BA0397-E558-416A-BC96-8
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-D
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - HKLM\..\RunServices: [847FAF9D] C:\WINDOWS\system32\rsbmsc
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bi
O23 - Service: Print Client Share (PrntCSh) - Unknown owner - C:\WINDOWS\System32\psmcsh
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc
Then these 2 scanners should clean whatever is left behind:
1.Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
2. http://www.superantispyware.com/
last but not least:
Very good temp folders cleaner, cleans All users temp folders.
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
Very good temp folders cleaner, cleans All users temp folders.
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
ASKER
Success! Thank you for all your help.
No problem, glad to assist, thank you!
Did you manage to fix the safe mode problem as well? just curious.
Did you manage to fix the safe mode problem as well? just curious.
ASKER
No, I didn't fix the safe mode issue. That one will remain a mystery. Thanks again.
You may have a variation of SmitFraud. Run SmitFraudFix to remove the banner
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip
I will look at your HijackThis log.
Best wishes!